The U.S. government has sued Wyndham Worldwide Corp. over allegations that it failed to protect consumers' credit card data.
The Federal Trade Commission says the hotel company suffered three data breaches from 2008 through 2010 that compromised more than 600,000 accounts. Many of the customers reported fraudulent charges because of the breaches, the agency alleges.
Wyndham, based in Parsippany, N.J., disputes the allegations in the suit, which was filed in federal court in Phoenix. It says it will contest them. The company says it has made significant improvements to its data security since the breaches occurred.
The agency said that hundreds of thousands of customers' credit card information went to an internet address registered in Russia. The intruders gained access to Wyndham's computer network in Phoenix, the FTC said.
Wyndham failed to take proper security measures, the FTC alleges, such as employing complex user IDs and passwords. And it allowed improper software setups that resulted in credit card information being stored in clear readable text, the suit says.
The FTC is seeking unspecified restitution from Wyndham in the civil lawsuit.
Wyndham manages and franchises about 7,000 hotels around the world. In addition to Wyndham, its brands include Ramada, Days Inn, Travelodge, Super 8 and Howard Johnson.
The company said that as a result of the breaches, "cyber criminals potentially accessed a limited amount of customer information" at some Wyndham Hotels.
When the breaches occurred, Wyndham promptly notified the hotel customers who may have been affected and offered them credit monitoring services, the company said in a statement. "To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," the statement said.
Wyndham also said it doesn't expect the outcome of the litigation with the FTC to have a significant negative effect on the company's finances.