The United States Court of Appeals for the Third Circuit ruled on Monday, August 24, that the United States Federal Trade Commission has the authority to pursue legal action against companies that fail to protect customer data.
This decision comes after a series of court cases related to the 2008 & 2009 Wyndham Worldwide data breaches affecting 500,000 individuals. Wyndham had previously challenged the FTC’s authority, stating the agency has no clearly defined standards and procedures for companies to follow.
In 2012, the FTC sued Wyndham on behalf of its’ consumers, accusing the company of having weak information security standards in place which contributed directly to the $10.6 million in fraudulent purchases on the victims’ credit cards.
According to the ruling, attackers had reasonably easy access to the company’s network. The company’s hotels stored unencrypted payment card data in readable text and used easily guessed passwords to access its property management systems. The attackers were able to repeatedly guess users’ login IDs & passwords, gaining them access to administrator accounts on the network.
Following the first cyber-attack, hackers were again able to access the network through an administrative account and install memory scraping malware onto more than thirty of the hotels’ computer systems, going unnoticed for over 2 months until consumers began filing complaints about fraudulent charges.
Although Wyndham has claimed they used ‘industry standard practices’ to secure customer data, the FTC alleges that Wyndham did not use encryption, firewalls, or any other reasonable methods for protecting customer data.
The concept of security best practices have been devised for a reason, and the unfortunate reality is, these breaches will continue to happen without the best security practices and solutions in place. With NNT’s Change Tracker Gen 7, you’ll be equipped with solutions like File Integrity Monitoring and Change & Configuration Management to help protect customers’ credential and information from a possible breach.
See more on PCI DSS
Read more about Change Tracker Gen 7 here
Read more on CSO Online here
Read the Article on Threat Post here