FTC vs. Wyndham: A Data Security Case Study In What Not-To-Do

Don Miller

The FTC v. Wyndham Worldwide Corp. case has generated a lot of attention relating to who is prosecuting the case—the Federal Trade Commission (“FTC”). Many folks do not identify the FTC as an agency responsible for policing data security practices. Truth is the FTC has been using its unfairness authority to regulate data-security practices for many years. While the scope of the FTC’s authority to pursue companies for lax data-security practices is an interesting issue, we will not delve into it because it has nothing to with the MFT Nation’s mission, which is keep you updated on happenings in the world managed file transfer and data security.

Earlier this week, we posted a blog commenting on one aspect of the Wyndham case—i.e., failing to install software patches or updates for out-of-date software can create entry points for spies, hackers and other malicious actors. We are pleased to see that the blog has been so well-received, and that people are beginning to focus more on the age of individual pieces in their software portfolio. We also said in that earlier blog that the Wyndham case serves is a good case study for what not-to-do in the rapidly changing world of data security, and promised to share some additional thoughts about the case at a later date. That is the purpose of this post. We want to look at what Wyndham’s IT folks allegedly did in order to incur the wrath of the FTC, and then discuss steps you can take to avoid such a situation.

Wyndham operates a data center in Phoenix, Arizona that it uses to store and process credit card data. The FTC took issue with the alleged “security insufficiencies” at the data center, including the following:

  • Allowing software to be configured inappropriately, resulting in the storage of payment card information in clear readable text.
  • Failing to implement adequate information security policies and procedures prior to allowing outside users to connect to Wyndham’s computer network.
  • Allowing servers to connect to the network despite the fact that well-known default user IDs and passwords were enabled on the servers, which were easily available to hackers through simple Internet searches.
  • Failing to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess. Wyndham did not require the use of complex passwords for access to system and allowed the use of easily guessed passwords. For example, to allow remote access to a property management system, which was developed by software developer Micros Systems, Inc., Wyndham used the phrase “micros” as both the user ID and the password.
  • Failing to adequately inventory computers connected to the network so Wyndham could appropriately manage the devices on its network.
  • Failing to employ reasonable measures to detect and prevent unauthorized access to the computer network or to conduct security investigations.
  • Failing to follow proper incident response procedures, including failing to monitor the computer network for malware used in a previous intrusion.
  • Failing to adequately restrict third-party vendors’ access to Wyndham network, such as by restricting certain connections to specified IP addresses, or granting temporary, limited access, as necessary.

The court found that these allegations, if proven, were sufficient for purposes of establishing liability under the FTC Act for failing to employ “reasonable” measures to protect their customers’ personal information.

Some commentators have used this case to strike fear into the hearts and minds of IT professionals. These commentators say that it is impossible for companies to develop a data security plan based on such an ill-defined standard of “reasonableness.” But I suggest that the take-away for IT professionals is much more basic. This case was brought because of the utter incompetence of those who built and maintained (I use that term loosely) the Wyndham network. Consider that:

  • The same group of Russian hackers gained access to the network not once, not twice, but on three separate occasions.
  • On each occasion, the hackers were able to go undetected for days, or even months at a time.
  • All the bad acts transpired over a relatively short, 19-month period.
  • The intruders used “similar techniques” on each of the three occasions, yet Wyndham “failed to take appropriate steps in a reasonable time frame” to prevent further compromise of the network.
  • Wyndham’s practices, when “taken together, unreasonably and unnecessarily exposed consumer’s personal data to unauthorized access and theft.”

In other words, all three intrusions were easily preventable, especially if Wyndham had deployed a secure/managed file transfer solution. Nearly two years ago, the MFT Nation blog offered tips for creating and maintaining secure passwords. An experienced professional services team that has the technical skill and knowledge required to integrate a file transfer solution into an organization’s existing environment could have helped to avoid the configuration issues noted in the Wyndham case. A good managed file transfer solution could have helped with the “security insufficiencies,” in at least the following respects:

  • Ensure that administrators can enforce a secure password environment when users change or create passwords
  • Allow users to store data in an encrypted format
  • Have a secure cryptographic module that has been certified under the FIPS 140-2 standard
  • Be proactive in preventing attacks by disabling user IDs after a specified number of failed attempts

The Wyndham case is still in its very early stages, and this decision from the district court will probably not be the final word. In fact, the U.S. Court of Appeals for the Third Circuit granted a petition by Wyndham for an interlocutory appeal of portions of the district court’s decision. Stay tuned to MFT Nation for developments in the case as they relate to managed file transfer and data security.