Wyndham hotels hacked again

Wyndham hotels, which also owns Days Inn, Ramada and Super 8 motels, reported another break in, resulting in customer card data and magnetic stripe data being stolen.

The company has posted a notice on their website, informing customers of the breach. There are a couple of significant points in the notice:

In their FAQ about this incident they are saying that the incident occurred between Oct 2009 and Jan 2010. That is a solid 4 month period, which is a pretty long period that is sure to have exposed a large amount of data. So, I am not sure how to take the following quote from their notice:

..the hack was immediately terminated and disabled..

In their FAQ, they say that they found out about this breach was when some of their customers complained that their cards has been misused after they stayed at Wyndham properties. This indicates that they had no clue to the problem themselves.

In their notice, they say that

..we will be contracting with a secure third party consumer reporting agency to match every active credit card in the United States with the consumer’s name and address and we will personally provide notice to those individuals, as well as an offer for free credit monitoring for a period of time..

Looks like customers from outside the US are on their own, if any of their cards are abused..

Hackers made off with “guest and/or cardholder names and card numbers, expiration dates and other data from the card’s magnetic stripe”. PCI-DSS specifically requires that card data that is stored is encrypted or made unreadable. If hackers were able to get access to card data or magnetic stripe data, it can mean one of three things:

  1. The data was stored in clear text
  2. The data was encrypted, but the encryption keys were not secure
  3. The data was stolen using an application attack that abused application functionality to access data that decrypted by the application

Whichever way the data was compromised, it is clear that they were not compliant with PCI-DSS requirements. By the way, what were they thinking storing magnetic stripe data??

In a way, I can understand their problem. There are always problems when you work with franchisees who know the business, not the compliance and security aspects. The one thing that bothers me is the fact that (by their own admission) their central servers were compromised. That raises questions about the competency of their IT staff.

This is the third data breach reported by Wyndham in the past year. In February 2009, Wyndham reported a breach that occurred between July and August 2008 that compromised tens of thousands of credit card numbers. Wyndham warned customers of a second breach in August 2009.