The Franchise Owner's most trusted news source


Log In / Register | Dec 27, 2014

FTC Sues Wyndham over Massive Credit Card Breaches

Credit card use

WASHINGTON, D.C. —  Last week the Federal Trade Commission announced it had filed a lawsuit against hotel chain Wyndham Worldwide Corporation (NYSE:WYN) and three of its subsidiaries for gross negligence in handling their guests' personal card information. Three breaches, allegedly involving more than half a million payment cards, were made by international cyber spies through multiple Wyndham databases in less than two years.

The FTC blames Wyndham for its negligent management of its guests' personal information. The government says the failure by the hotel conglomerate to take reasonable precautions to secure guest information after the first security breach, which it knew about, led to $10.2 million in fraudulent charges on hotel guests' accounts, as well as the stealing of hundreds of thousands of consumers' credit card and personal information to an Internet domain address registered in Russia. The Federal Trade Commission says that Wyndham misrepresented itself when it failed to inform consumers of the lack of measures taken to protect guests' personal information.

Nonsense, retorts Wyndham Worldwide, the world's largest hotel conglomerate. "At the time of these incidents, we made prompt efforts to notify the hotel customers whose information may have been compromised, and offered them credit monitoring services," says Michael Valentino, spokesperson for Wyndham Worldwide and its 7,000 hotels. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks."

Bruce Schaeffer, founder and president of Franchise Valuations Ltd., observes that personal data breaches among franchise chains are more frequent than commonly thought because chains inadequately manage their security measures. "I have more toes on my right foot than there are franchisors that I know of that do any, much less regular, penetration testing of their networks and have information security policies and procedures in place — and written in their operating manuals," says attorney Schaeffer. "Regular application layer vulnerability testing is required for all Internet facing applications in addition to code reviews before they go live," cautions Henry Chan of Franchise Valuations' cyber security unit, Franchise Technology Risk Management.

"The other risk to point out is that most franchisors outsource all of their technology development," observes Chan. "There is no control or degree of confidence that they are receiving secure code."

Franchisees warned Wyndham to fix their servers

Jay Patel, interim president of the Owners 8 franchisee association, which represents hotel owners in various Wyndham brands like Microtel, Days Inn, Super 8 and Ramada, recalls that two and a half years ago the franchisor wanted expensive upgrades to software at the hotel level. But its leaders seemed indifferent to security issues at the franchisor level after the company's first breach of security. Wyndham wanted a third party to take over the security of the payment card software that registers guests' credit cards at hotels.

The hotel owners balked, thinking that Wyndham's move of the card software program and management completely to a third party vendor was irresponsible.

"The major component that affects us [hotel owners] is the fact that the franchisor will abandon support of the software," complained the Owners 8 Association in an email to Wyndham Hotel Group president Eric Danzinger on February 25 of 2010. Franchisees warned Wyndham about how guests were open to security theft from the franchisor's servers.

Schaeffer agrees that outsourcing database security is a dangerous thing, but points out that Wyndham isn't alone in doing this. "Most franchisors outsource all of their technology development. There is no control or degree of confidence that they are receiving secure code."

Having deep high-tech resources, the franchise owners, largely with ethnic origins from India, complained that they could upgrade their old software at a fraction of the cost that Wyndham wanted to charge them for the new one. They suspected the inflated prices to franchisees represented hidden kickbacks to the franchisor. "Some ethical questions surround the whole process of the system upgrade and we hoped to receive some clarity," wrote the association to Wyndham's CEO Eric Danzinger.

The franchisor ignored the letter from the independent association.

A day after the franchisees' letter went out to Wyndham's CEO, the news services ran yet another public story that Wyndham Hotels had been hacked again.

Jay Patel says it became worse. "No response came from the Wyndham Hotel Group hierarchy." So members of the association brought the corporate server security weaknesses up to Wyndham's Information Technology department. "They stated that the system was secure," says the association's new president. "They just indicated the server breach was an isolated incident."

Meanwhile, the franchise owners who did not upgrade to the third-party software were taken off the grid, resulting in guests unable to book the rooms at those hotels. Wyndham indicated that franchisees could be terminated for not upgrading.

Ironically, in the end the problem was not franchise owners failing to spend money to upgrade their payment card software, but rather the franchisor's failure to spend sufficient money to upgrade its own servers from attack, say franchisees.

Being unable to see the plank in its own eye, instead of focusing on the speck in the franchisees' so as to receive revenues is a problem with the franchisor, hints Patel. "The negative publicity received from the data breaches is not something that we as franchisees expect from our franchisor," now declares the Savannah hotel owner. "The FTC has seen multiple data breaches from one company and has reacted with the filing of a case against Wyndham Hotel Group. Despite their being notified of our concerns over two years ago, Wyndham still did not secure their systems.  As franchisees, we can continue the dialogue or we can escalate this to the next level," declares an exasperated Patel.

Wyndham's brand loyalty expected to fall

Robert Passikoff, founder and president of New York City-based Brand Keys Inc. thinks consumers are about to give Wyndham a jolt of reality. In his 2012 customer loyalty engagement survey, Wyndham is ranked in the middle, fifth out of eight. "I wouldn't be surprised if the brand moved down the ranking," says Passikoff. The branding expert explains that brands in the top three, like number one ranked Hilton, receive the benefit of the doubt effect when it comes to bad news. "Brands that engender higher degrees of loyalty are six times more likely to be given the benefit of the doubt in 'uncertain' circumstances, i.e., failure to secure customers' personal information. Those with weaker loyalty and engagement ties are bound to feel the disappointment and ire of customers."

WYN Chart

"I don't think, if it is handled right, there will be permanent damage to the brand," says Stephen Coltrin, chairman and CEO of public relations firm Coltrin & Associates. He is behind the scenes of some of the country's largest franchise chains. Coltrin is arguably best known for working with Mitt Romney to revive a scandalized Olympic Winter Games in Salt Lake City in 2002.

Crisis management expert Coltrin adds, "The brand can emerge stronger and better perceived."

Passikoff also thinks Wyndham can recover. However, he suggests that Wyndham quickly develop better database security and hire a brand loyalty expert to contain the damage.

Coltrin is concerned how the company is now coming across. He believes that Wyndham needs to have its CEO talk about the database breach, not a company spokesperson. "A spokesperson is perceived as a spokesperson, saying what someone wants them to say. I would have the chief executive officer make a public statement."

So far the stock market seems unconcerned about the security lawsuit as Wyndham's price continues its upward march (see chart).

Wyndham's spokesperson Valentino concludes, "In a time when cyber attacks on private and public institutions are on the rise globally, safeguarding customer information remains a top priority at Wyndham Worldwide. Unfortunately, as this matter is now the subject of pending litigation, it would be inappropriate for us to provide further comment at this time."

That's not how the public relations company sees the event. "Wyndham must view transparency as their friend and not their enemy," Coltrin emphasizes.

Patel of Owner's 8 is considering whether hotel owners may be in a position to help the franchisor by creating a cooperative in which franchisees take over the chain's information technology solutions, like cyber security. That can take away the heat and liability in the future from the franchisor for cyber theft and have franchisees decide on IT efforts. "We will definitely communicate with Wyndham and suggest working together to attain a better relationship, which has always been our goal at Owners 8 Association." He adds that the independent franchisee association shouldn't be ignored but rather it can be a valuable resource to Wyndham. "Our Owners 8 now has new leaders and we are open for discussion with Wyndham and for better communication," says its leader.

Your rating: None Average: 5 (2 votes)

Reply