Threatpost has the story: https://threatpost.com/court-rules-ftc-has-authority-to-punish-wyndham-over-breaches/114390
From the court brief
http://www2.ca3.uscourts.gov/opinarch/143514p.pdf
are some interesting snippets:
Let’s list the cybersecurity problems that Wyndham had:
- Stored CC data (which is a violation of PCI standard)
- Passwords were simple (Example: “micros” in a Micros computer default pw)
- Did not use firewalls between their corporate network, property management system, and Internet
- Cybersecurity inappropriate on property management systems(hotels)
- 3rd party vendors were not restricted access to resources properly
- Failed to create detection of unauthorized access
- Insufficient Incident Response Procedures
This is a thorough list of what NOT to do to prevent cyber attacks.
Admittedly even if you do all you can you might get hacked, but if you do not you will get hacked.
And now you will also get punished by government agencies. Who would have thought that the FTC would regulate and punish in a roundabout way the hotel company Wyndham?
How is the FTC able to make a claim? It is because the FTC regulates privacy and Wyndham was negligent in their claim to protect privacy.
{ The FTC said that Wyndham engaged in unfair and deceptive practices by claiming that it used “industry standard practices” to secure customer data, though the attackers were able to steal unencrypted data belonging to tens of thousands of customers. }
1 thought on “Courts Uphold FTC Regulation-Punishment to Negligent Company”