Wyndham Hotels & Resorts

Under Review: 
No Review
Date Breach Made Public: 
February 28, 2010
Dallas , TX
United States
Texas US
Records Breached: 


Breach Total Number: 
500 000
Year of Breach: 
Type of organization: 
Type of breach: 

International hotel group Wyndham Hotels and Resorts (WHR) has suffered yet another serious data breach after hackers broke into its computer systems, stealing customer names and payment card information.

UPDATE (05/18/2010): An open letter from Wyndham to its customers: www.wyndhamworldwide.com/customer_care/data-claim.cfm

UPDATE (05/12/2011): Wyndham identified 42 additional New Hampshire residents who were affected by the 2010 breach.  The total number of people affected by hacking incidents at Wyndham in 2009 and 2010 is likely to be large since 37 hotels under Wyndham's hotel group were affected.

UPDATE (06/26/2012): The FTC has filed a complaint against Wyndham hotels for failure to protect the personal information of consumers.  Wyndham hotels and three of its subsidiaries are accused of data security failures that led to three data breaches at Wyndham hotels between 2009 and 2011.  The FTC accused them of allowing failures that led to fraudulent charges on consumers' accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers' payment card account information to an internet domain address registered in Russia.  The FTC statement can be read here: http://www.ftc.gov/opa/2012/06/wyndham.shtm.

UPDATE (08/30/2012): Wyndham Hotel & Resorts LLC is contending that the FTC lacks the authority to regulate private companies' data security practices. Wyndham motioned to dismiss the FTC's Arizona federal court case with this assertion.

UPDATE (06/25/2014): On June 25th, The Federal Trade Commission "sufficiently alleged that several Wyndham Hotels entities operated as a common enterprise in the commission's data security enforcement action against them, the U.S. District Court for the District of New Jersey held June 23, in an unpublished opinion. The court is allowing Wyndham Hotels and Resorts LLC a interlocutory review of portions an an earlier April 7th opinion denying the company's separate motion to dismiss, Judge Esther Salas wrote in a second unpublished opion (FTC v. Wyndham Worldwide Corp., 2014 BL 174519, D.N.J., No. 2:13-cv-01887, unpublished opinion 6/23/14)".

UPDATE (12/09/2015): Wyndham Hotels has settled with the FTC that it failed to properly secure customer credit card information.

"A consent order outlining the settlement was filed with the federal court in Newark, New Jersey, 3-1/2 months after the 3rd U.S. Circuit Court of Appeals in Philadelphia said the FTC had authority to regulate corporate cyber security.

Under the order, Wyndham must establish a comprehensive information security program designed to protect cardholder data including payment card numbers, names and expiration dates, the FTC said."

More information: http://www.reuters.com/article/us-wyndham-ftc-cybersecurity-idUSKBN0TS24...