Wyndham Hotels Target of Credit Card Hackers, Again
According to an IDG News Service article on CIO.com on February 26th, the break-in occurred between late October 2009 and late January 2010, when the intrusion was finally discovered.
"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said on their website. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."
Among the compromised information are guest names, card numbers, expiration dates, and other information gathered through a card's magnetic stripe.
Wyndham, which operates several chains including Days Inn, Ramada, Howard Johnson, and Super 8, has not released information on how many hotels were affected, or how many customer cards have been compromised.
In a letter to their customers, Wyndham announced that all the affected card numbers have been turned over to their appropriate card companies (Visa, Mastercard, American Express, and Discover) so the card companies could begin taking action monitoring the use of the affected accounts. Wyndham also notified the Secret Service, and is working with law enforcement to perform an in-depth investigation.
In a recent report by DarkReading.com, an online security trade publication, hackers reportedly hit hotel networks more than any other institution in 2009, including the often-hacked financial industry. The report continued on to say that 98 percent of the targeted data pertained to payment card information, with hotel security breaches going undiscovered for an average of 156 days.
"Attackers are using old vulnerabilities to get in and out. They know they aren't going to be detected [in many cases], so they are camping out and not trying to hide because no one's watching," Nicholas Percoco, senior vice president of Trustwave's Spider Labs, the company which compiled the report, told DarkReading.com.
This incident marks Wyndham's third reported data breach in the past year. Last February, the company recognized that tens of thousands of card numbers had been stolen by hackers between July and August of 2008. A second intrusion was announced by Wyndham in August 2009.
Victims of the most recent incident have not yet been notified. Wyndham expects to contact the affected customers by the end of March, after their initial investigation has been completed.
While the company announced that not all of their hotels were affected by the breach, they are encouraging all customers who believe their information may have been compromised to fill out a form about their stay on Wyndham's website, which will then be researched and responded to.