Losing Sleep Over Three Data Breaches in a Year

Never mind three strikes and you're out. How about three strikes and I've got to ask myself if I even want to be in one of your hotels in the first place.

Never mind three strikes and you're out. How about three strikes and I've got to ask myself if I even want to be in one of your hotels in the first place.

Hackers steal thousands of Wyndham credit card numbers

The question arises after a third reported incident in 12 months involving the Wyndham Hotels chain. Granted, even the most security-conscious of companies can be victimized by hackers, but when you've had to cop to a third data breach in less than a year you'll have to forgive prospective customers for looking elsewhere for shelter. Or to pay in cash.

The 2009 Data Breach Hall of Shame

From IDG News Service story on our Web site last week: "Hackers were able to steal data required for credit card fraud, the company said, including 'guest names and card numbers, expiration dates and other data from the card's magnetic stripe.' Wyndham did not say how many (of its) hotels were hacked or how many customers were affected."

The Wyndham chain includes such familiar brand names as Ramada, Days Inn, Super8, Howard Johnson and Travelodge.

Here's a snippet of the boilerplate-filled mea culpa posted to the Wyndham site: "In addition to ensuring that the hack was immediately terminated and disabled, we promptly retained a qualified investigator to assess the problem and ensure that we had isolated it, and then to help us implement the proper changes to strengthen and improve the security of our connections with each of our WHR branded properties. Further, the impacted properties are being separately investigated by a qualified PCI investigative firm to assess and improve the security at each hotel property in the system."

Those are good ideas all, but they would have been even better ideas had they occurred and been implemented effectively after the breach Wyndham acknowledged last August.

And they'd have been a model of corporate responsibility had they blossomed after the first of the three breaches, which was revealed to the public six months earlier.

Do I judge Wyndham too harshly? I asked Kelly Todd, a project manager for DataLossDB, which tracks and compiles information about data breaches. Todd's reply: "Personally, I'd try my best to avoid using any business that suffered multiple breaches in a relatively short time frame. For instance, if you swipe your credit card through an ATM that gets a skimmer attached to it three times in a year, it might be time to switch ATMs. I don't see why trusting a hotel chain -- or any business for that matter -- with credit card information should be different."

So here's the question I sent to a pair of Wyndham public relations executives: "Given that this was the third such incident involving Wyndham in the past year alone, why wouldn't a prudent business traveler or vacationer be well advised to avoid Wyndham hotels rather than risk being a victim of the next such incident?"

Twice they indicated their desire to respond.

I'm still waiting.

If you'd like to answer the question for Wyndham, please feel free. The address is buzz@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

This story, "Losing Sleep Over Three Data Breaches in a Year" was originally published by Network World.

Copyright © 2010 IDG Communications, Inc.

Survey says! Share your insights in our 19th annual State of the CIO study