The recent federal action against Wyndham Worldwide for the cyber theft of more than 600,000 customer payment records is raising questions about data security at event venues and just how groups can better protect themselves.
The Federal Trade Commission (FTC) in June filed a lawsuit against the hotel company for a variety of alleged security failures, including inadequate use of firewalls, storing sensitive data in plain text, and creating simple, easily hacked computer passwords.
Wyndham reported three data breaches between 2008 and 2009. Hackers—whom authorities traced to an Internet domain name registered in Russia—made fraudulent transactions with the stolen payment data that topped $10.6 million, according to the FTC. But Wyndham is not alone in falling prey to cyber theft. Electronic payment processor Global Payments suffered the theft of up to 1.5 million credit card numbers earlier this year, and in July, tech giant Yahoo reported that hackers stole the user names and passwords for 450,000 e-mail accounts.
Last year, more than 300 Web-based data breaches were publicly disclosed by organizations in 18 countries, according to Trustwave, a leading provider of security for electronic payment systems, in its Trustwave 2012 Global Security Report. Even more disheartening, third parties responsible for system development, support or maintenance had inadvertently introduced security deficiencies in three-quarters of the breaches, according to the Trustwave report. And anti-virus software installed in infected computers detected less than 12 percent of malware (better known as viruses), the company found.
But end users—in this case, employees at hotels and other meeting venues—also bear responsibility. One of the biggest security problems, according to Trustwave, is that users simply retain the default password on many computers, which is “password” or “welcome.” The report makes clear that hackers target customer records such as credit card information and e-mail addresses. Customer records accounted for 89 percent of breached data last year, according to Trustwave.
The food and beverage industry accounted for the highest percentage of breaches for the second year in a row, at 44 percent, according to the report, with retail second at 34 percent and hospitality a distant third at 8 percent.
“Those most susceptible will be businesses that maintain customer records or that consumers frequent most, such as restaurants, retail stores and hotels,” the report states.
More than one-third of breaches in those top three categories occurred at franchise businesses, prompting the report to add, “The risk is even greater for brand-name chains.”
“In the event a security deficiency exists within a specific system, deficiencies will be duplicated among the entire franchise base,” the report explains. “Cyber criminals took full advantage of this vulnerability.”
In fact, that’s exactly what happened at Wyndham.
In April 2008, hackers broke into the computer network of a property in Phoenix and, from there, tapped into the property management systems of other hotels in the chain via Wyndham’s corporate computer network, according to the FTC.
In the second breach, in March 2009, hackers broke into the Wyndham data center in Phoenix. An administrator account was compromised, as was another administrator account in late 2009. In all, data was stolen from 41 Wyndham properties, according to the FTC.
The government lawsuit asks that Wyndham adhere to its own data security policies and all applicable laws, in addition to paying any financial losses that customers suffered. In response, Wyndham said it knew of no guests who had incurred financial losses and that it has tightened its security measures in compliance with the law.
One of the world’s largest hotel companies, Wyndham Worldwide franchises or manages some 7,150 hotels under 17 brands, including Ramada, Howard Johnson’s, Planet Hollywood and Wyndham.
Given the chain nature of many hotels—and thus their connected computer systems—meeting planners will probably make little headway in trying to get specific properties to beef up data security through contract provisions, according to Lisa Sommer Devlin, a Phoenix-based attorney who primarily represents hotels in group contracting.
“The laws, both in the U.S. and internationally, have stringent requirements for payment card security that hotels, like other merchants, are required to follow,” Devlin says. “These security measures are put in at the corporate level and can’t be changed on a case-by-case basis.
“I do see some customers wanting to add provisions guaranteeing that the hotel is in compliance with all applicable laws, including laws relating to PCI and protection of PII,” Devlin adds, referring to technical standards that most major hotels and chains already follow. “But again, the hotels are already obligated to be in compliance with the law, so adding that language doesn’t add anything.”
While agreeing with Devlin that groups can’t do much to affect data security measures at individual properties, Philadelphia-based industry lawyer Josh Grimes advocates that groups nonetheless include contract language to protect themselves legally and place liability specifically on event venues.
Grimes recommends two contract clauses: one addressing confidential/proprietary information, requiring the hotel to recognize that it is receiving—and will protect—a group’s confidential information; and if the hotel provides Internet connectivity, one on data security to warrant that the hotel safeguards data transmissions from hackers.
An indemnification clause in which the hotel protects the group from any damages arising from the hotel’s mishandling of proprietary data should also accompany either contract provision, he says.
“In addition, meeting planners should do their own research to check the experience and credentials of the provider of Internet services or data at their meeting location,” Grimes advises. “They should ask the hotel if there have been issues with data theft before, and also ask exactly how the provider will protect the group’s data and confidential information.
“If there is a breach, the group should have a way to notify its attendees promptly so that passwords can be changed and cards canceled if necessary,” Grimes adds.
John Foster, an Atlanta-based industry attorney who also mainly represents groups, includes extensive contract language that holds meeting venues responsible for damages arising from the unauthorized use of proprietary data and spells out the actions that venues will take should a breach occur.
“Some hotels attempt to transfer the risk of disclosure to the meeting sponsor,” Foster says. “I don’t recommend that meeting sponsors agree to this risk transfer. Hotels are the ones collecting the information and have the final say-so on what happens to the information.”
And hotels that are at fault must be prepared to pay the price, Foster asserts.
“If the hotel is willful or negligent in releasing the personal information to third parties without consent of the group or guest, respectively,” he says, “hotels should have the total liability.”
Marshall Krantz is a longtime chronicler of meetings industry issues.