[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Learning from Wyndham's Data Breach
From: InfoSec News <alerts () infosecnews ! org>
Date: 2012-09-26 9:41:37
Message-ID: alpine.DEB.2.02.1209260441230.7728 () infosecnews ! org
[Download RAW message or body]
http://www.csdecisions.com/2012/09/25/learning-from-wyndhams-data-breach/
By Erin Rigik
Associate Editor
csdecisions.com
Sep 25, 2012
In today's high tech world, no one is immune to a breach.
This June, The Federal Trade Commission (FTC) sued hotel dynasty Wyndham
Worldwide Corp., after the company suffered multiple security breaches.
Allegedly, customer credit card numbers and personal information were
stolen from the company three times in less than two years.
The hotel behemoth is an international giant operating resorts and
hotels under the Wyndham, Ramada, Super 8, Days Inn and Howard Johnson
brands, among others. The amount of credit card data that passes through
the company's accounting system each month is staggering.
However, the FTC pointed the finger at Wyndham's negligence in relation
to security policies at the company's Phoenix data center—where the
company stores and transfers data between its headquarters and its
individual business units. As a result, Russian hackers managed to
infiltrate its system and install phishing software on a myriad of
Wyndham servers, gaining access to more than 500,000 customer accounts
on three separate occasions between 2008 and 2010. Hackers then rang up
more than $10.6 million in fraudulent credit card transactions,
according to the suit filed in the U.S. District Court of Arizona.
But more troubling was that even after the company learned of the
breach, it failed to take action to prevent it from happening again,
according to the FTC's complaint, and as a result, the hackers were able
to gain access on, not one, but two additional occasions. If Wyndham had
added more complex user IDs and passwords, and made changes to software
that was storing customer credit card data as unencrypted text, the
company may have nipped the damage in the bud.
[...]
--
ExpandingSecurity.com Live OnLine classes won’t wreck your schedule.
Get that cert and be done before 2012 ends. Last ISSAP 2012 class starts
Sept. 25th. Last 2012 CISSP and CEH starts Oct. 1:
CEH info signup: http://www.expandingsecurity.com/product/ceh-certified-ethical-hacker-online/
CISSP info signup: http://www.expandingsecurity.com/product/cissp-live-online-10-week-course/
ISSAP info signup: http://www.expandingsecurity.com/product/issap-information-systems-security-architecture-professional/ \
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic