These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:
2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.
Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …
Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.
The criminal then calls guests with future reservations:
Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.
Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.
To help protect your organization from these types of social engineering attacks:
This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.
HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.
]]>So-called “price gouging” is where a business providing essential consumer goods or services takes advantage of abnormal market conditions caused be events such as natural disasters, armed conflicts or other crises, by raising prices to excessive levels.
To date, 34 U.S. states have enacted anti-price gouging legislation. Typically, these statutes make it illegal for a business to raise prices or rates for essential goods or services during an emergency. In most cases the laws impose specific price limitations for essential items or services where a state of emergency has been declared, and those limitations usually remain in effect for a period of time following the declaration of a state of emergency.
A common approach of anti-price gouging laws is to preclude businesses from raising prices by more than 10 percent compared to their prices immediately before the declaration of a state of emergency, and that limitation would remain in effect for 30 days from the declaration of the state of emergency. Failure to comply with the limitations could expose the businesses to civil and/or criminal penalties and possibly private claims by affected consumers.
Lodging is considered an essential consumer service under anti-price gouging laws. This year, state attorneys general and district attorneys began to aggressively target hotels for investigation when states of emergency are declared.
The allegation is that room rates charged during and soon after a disaster or crisis exceed prior rooms rates by an exorbitant amount and the implication is that the hotels are taking advantage of abnormal market conditions resulting from a disaster or other emergency in order to profit from it. Hotels are being required to disclose comparative room rate data to investigators seeking to prove price gouging. The issue is complicated by the fact that many hotels set rates on a semi-automated basis using systems that track demand and “comp set” rates published by competing hotels, and in those circumstances room rates may fluctuate beyond the imposed statutory limits without hotel personnel controlling the fluctuations.
Responding to investigations can be time-consuming and expensive, and in some cases the explanations for room rate movement is complex and difficult to explain persuasively to investigating agencies. Hotels under investigation for price gouging are at risk for significant penalties.
Hotels should be aware of whether the state in which they are located has an anti-price gouging law, what things trigger rate limitations, and the nature, extent and timing of those limitations. In addition, when a natural disaster, civil unrest or other crisis occurs, hotels must consciously exercise control over the movement of their room rates so that those rates do not exceed legal limitations.
About Sandy Brian Garfinkel
Garfinkel is a business litigator who serves as the chair of the firm’s Data Security & Privacy Group. Garfinkel also maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in responding to regulatory investigations of many varieties.
Unfortunately, hotels and hotel companies have been, and continue to be, tempting and frequent targets for data thieves.
Why are hotels of such interest to information thieves? Several factors could be to blame. One may be that hotels do such a large amount of business through credit and debit card transactions, and payment card fraud is a favored type of identity theft crime among cyber criminals and those to whom they sell their stolen information. Another may be that hotels frequently must tie their data and computer systems together with the computer systems of others, such as the major hotel brands and, at times, outside vendors or contractors. High employee turnover and, in many cases, poor employee training in security practices may also contribute to the vulnerability of hotels to data thieves.
Wyndham’s Data Incidents
Arguably the most notorious set of hotel data breach incidents happened to Wyndham Worldwide Corporation during the period of 2008-2009. Here’s how those incidents unfolded:
In April of 2008, foreign hackers gained access to Wyndham’s computer system through a single computer in one of Wyndham’s franchised hotels that an employee at the property had connected to the internet. The internet connection permitted the hackers to intrude into the hotel computer. This computer was also connected to Wyndham’s property management and reservation system (all Wyndham franchised hotels are required by contract to utilize Wyndham’s management and reservations system). This pathway was used by the hackers to gain access to Wyndham’s own servers at its data center in Phoenix, Arizona. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes. At that point, the intruders had a ready pipeline to reach individual Wyndham franchised hotels that were connected to Wyndham’s central servers.
Within approximately a month, the hackers had used Wyndham’s computerized connections with its franchised hotels to compromise the computer systems of 41 different properties. Unfortunately, it took Wyndham a number of months to recognize that the intrusion had occurred.
Even more regrettably, the hackers returned twice more in 2009. Wyndham believed that the security vulnerabilities that had allowed the 2008 attack to occur had been remedied, but they had not. The second cyber attack on Wyndham resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.
The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, over 600,000 accounts were compromised in this series of breaches. By no means do these incidents qualify to be among the largest data breaches on record, especially compared to a few of the more recent highly publicized incidents, such as the 2013 pre-Christmas cyber attack against Target, in which over 70 million individuals were affected, or the more recent EBay data breach, which is said to have impacted over 233 million people. Nonetheless, the potential for payment card fraud as a result of the Wyndham breach has been estimated to exceed $10 million.
The consequences to Wyndham have been serious and seemingly endless. Initially, just after the incidents occurred, Wyndham issued notifications to all affected individuals. Such notifications are required by the data breach notification statutes of 47 U.S. states. The notification process was extremely expensive, in part because Wyndham first had to obtain contact information for the affected people based only upon credit card account numbers. Wyndham also provided a year of credit monitoring to affected individuals, at the company’s cost. In addition, Wyndham was required to spend time and resources attempting to satisfy a number of state consumer protection regulators and state attorneys general that it was adequately responding to the breaches.
As notifications were being processed, the franchised hotels began receiving notices from their credit card processors that the major credit card companies would be imposing assessments against the hotels, as merchants, for recovery of fraud costs associated with the breach incidents. The hotels turned to Wyndham and sought indemnification for these assessments. Ultimately, Wyndham bore the legal costs of challenging the majority of the credit card brand assessments and obtaining reductions in the fines.
Wyndham’s woes over the breach incidents were only just beginning. In April of 2012, the Federal Trade Commission brought a lawsuit against Wyndham in federal court, alleging that Wyndham had failed to observe adequate security practices concerning personal consumer information, and that these failures amounted to unfair and deceptive trade practices. The Commission’s complaint quoted the privacy policy which appears on Wyndham websites, which stated that Wyndham would use commercially reasonable efforts to protect the personal identifying information of its customers. The complaint then went on to allege that Wyndham had failed to employ reasonable industry practices to safeguard guests’ data. Wyndham asked the court to dismiss the lawsuit, arguing that the Commission had overstepped its authority to regulate by claiming to have the right to enforce unwritten, unspecified data security standards against companies. Over a year after it was filed, the court denied Wyndham’s motion to dismiss in early 2014. The trial court specially certified the question of the FTC’s jurisdiction so that it could proceed immediately to appeal before the Third Circuit Court of Appeals. On August 24, 2015, the Third Circuit issued a decision affirming the trial court’s holding that the FTC had the power sue Wyndham, and thus the enforcement action will proceed.
If that were not enough, in May of 2014, a Wyndham shareholder brought a derivative action lawsuit against Wyndham. The claims in that lawsuit focus on the fiduciary liability of Wyndham’s board of directors for the data breaches themselves as well as the ensuing Federal Trade Commission lawsuit. The complaint alleges, among other things, that Wyndham failed to disclose the incident to shareholders in its financial filings in a timely manner. Wyndham has already filed a motion to dismiss the shareholder complaint, but no decision has been issued on that motion as of the time of the writing of this article.
The fallout and consequences to Wyndham from these events have been dire. Adverse impacts to Wyndham include harm to its image and reputation, the cost of notification of consumers and credit monitoring, legal fees and loss of goodwill among consumers, among other things.
What Can Be Learned From the Wyndham Breach Incidents? Security experts and analysts are becoming more vocal in warning consumers and corporate America that data intrusions are unavoidable. It is becoming the accepted industry wisdom that a determined hacker can get into virtually any system, regardless of how well it is protected. Therefore, it is difficult to say that a good lesson to take away from the Wyndham data incidents is that hotel companies should attempt to make themselves invincible against cyber attacks. Moreover, hotels often have certain inherent vulnerabilities to data theft, including the requirement that their computer systems must often be tied to those of entities which they do not control. There is no easy solution to this circumstance.
Rather, industry experts, as well as lawmakers, are beginning to call for faster and better intrusion response as a defense – through implementing closer monitoring and tighter protocols to detect breaches earlier, and having detailed and rehearsed cyber incident response plans, to name a few. Data breach response plans should include, among other things: creation of an incident response team (company officers, general counsel, outside data breach response counsel, information technology personnel, communications personnel, risk management personnel, etc.); a game plan for analyzing and containing a breach incident, including identification of forensic assessment and response firm; and, a plan for notifying affected individuals and government agencies where required. Speed in responding to an exposure or theft of information is a key component to reducing a company’s exposure after a breach. The Wyndham incidents underscore that delays in identifying breaches and shutting down exploited system vulnerabilities, in notifying affected people and consumer protection agencies, and in notifying shareholders, can all lead to higher levels of exposure.
One way to mitigate some of the breach-related costs similar to those incurred by Wyndham is to carry cyber protection insurance. The use of cyber insurance is widely increasing as data breach incidents become more frequent and more broadly reported through the media. Cyber policies come in a wide variety of forms and costs. The scope of coverage and exclusions from coverage must be carefully assessed to make sure a company has reasonable protection in exchange for its premium payments.
In the end, hotel owners, management companies and brands may not be able to avoid becoming the victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control, and should strive to prepare for, is their readiness to respond.
About Eckert Seamans
Eckert Seamans Cherin & Mellott, LLC has more than 375 attorneys located in 14 offices throughout the United States, including Pittsburgh, Harrisburg, Philadelphia, and Southpointe, Pa.; Boston; Washington, D.C.; Richmond, Va.; Wilmington, Del.; Newark and Trenton, N.J.; White Plains, N.Y.; Providence, R.I., Troy, Mich. and Charleston, W.Va. The firm provides a broad range of legal services in the areas of litigation, including mass tort and products liability litigation, corporate and business law, intellectual property law, labor and employment relations, aviation law, bankruptcy and creditors’ rights, employee benefits, environmental law, construction law, municipal finance, real estate, tax and estate law, trucking and transportation law. Eckert Seamans’ practice reflects virtually every industry and segment of the country’s business and social fabric. Clients include Fortune 500 companies, financial institutions, newspapers and other media, hotels, health care organizations, airlines and railroads. The firm also represents numerous federal, state, and local governmental and educational entities. In order to provide global reach and access to legal resources that enhance our ability to serve clients’ needs around the globe, Eckert Seamans has partnered with Lex Mundi, the world’s leading association of independent law firms, with a network of 160 member firms in more than 100 countries and offices in 600 business centers around the world; as well as SCG Legal, a global network of over 145 independent law firms with more than 11,500 attorneys. For more information about the firm, please visit www.eckertseamans.com.
]]>Unfortunately, hotels and hotel companies have been, and continue to be, tempting and frequent targets for data thieves.
Why are hotels of such interest to information thieves? Several factors could be to blame. One may be that hotels do such a large amount of business through credit and debit card transactions, and payment card fraud is a favored type of identity theft crime among cyber criminals and those to whom they sell their stolen information. Another may be that hotels frequently must tie their data and computer systems together with the computer systems of others, such as the major hotel brands and, at times, outside vendors or contractors. High employee turnover and, in many cases, poor employee training in security practices may also contribute to the vulnerability of hotels to data thieves.
Wyndham’s Data Incidents
Arguably the most notorious set of hotel data breach incidents happened to Wyndham Worldwide Corporation during the period of 2008-2009. Here’s how those incidents unfolded:
In April of 2008, foreign hackers gained access to Wyndham’s computer system through a single computer in one of Wyndham’s franchised hotels that an employee at the property had connected to the internet. The internet connection permitted the hackers to intrude into the hotel computer. This computer was also connected to Wyndham’s property management and reservation system (all Wyndham franchised hotels are required by contract to utilize Wyndham’s management and reservations system). This pathway was used by the hackers to gain access to Wyndham’s own servers
at its data center in Phoenix, Arizona. Once inside Wyndham’s system, the hackers obtained administrator passwords and access codes. At that point, the intruders had a ready pipeline to reach individual Wyndham franchised hotels that were connected to Wyndham’s central servers.
Within approximately a month, the hackers had used Wyndham’s computerized connections with its franchised hotels to compromise the computer systems of 41 different properties. Unfortunately, it took Wyndham a number of months to recognize that the intrusion had occurred.
Even more regrettably, the hackers returned twice more in 2009. Wyndham believed that the security vulnerabilities that had allowed the 2008 attack to occur had been remedied, but they had not. The second cyber attack on Wyndham resulted in the compromise of information from 39 franchised hotels; the third, 28 hotels.
The hackers, believed to have been operating from Russia, stole guest credit and debit card account information. In total, over 600,000 accounts were compromised in this series of breaches. By no means do these incidents qualify to be among the largest data breaches on record, especially compared to a few of the more recent highly publicized incidents, such as the 2013 pre-Christmas cyber attack against Target, in which over 70 million individuals were affected, or the more recent EBay data breach, which is said to have impacted over 233 million people. Nonetheless, the potential for payment card fraud as a result of the Wyndham breach has been estimated to exceed $10 million.
The consequences to Wyndham have been serious and seemingly endless. Initially, just after the incidents occurred, Wyndham issued notifications to all affected individuals. Such notifications are required by the data breach notification statutes of 47 U.S. states. The notification process was extremely expensive, in part because Wyndham first had to obtain contact information for the affected people based only upon credit card account numbers. Wyndham also provided a year of credit monitoring to affected individuals, at the company’s cost. In addition, Wyndham was required to spend time and resources attempting to satisfy a number of state consumer protection regulators and state attorneys general that it was adequately responding to the breaches.
As notifications were being processed, the franchised hotels began receiving notices from their credit card processors that the major credit card companies would be imposing assessments against the hotels, as merchants, for recovery of fraud costs associated with the breach incidents. The hotels turned to Wyndham and sought indemnification for these assessments. Ultimately, Wyndham bore the legal costs of challenging the majority of the credit card brand assessments and obtaining reductions in the fines.
Wyndham’s woes over the breach incidents were only just beginning. In April of 2012, the Federal Trade Commission brought a lawsuit against Wyndham in federal court, alleging that Wyndham had failed to observe adequate security practices concerning personal consumer information, and that these failures amounted to unfair and deceptive trade practices. The Commission’s complaint quoted the privacy policy which appears on Wyndham websites, which stated that Wyndham would use commercially reasonable efforts to protect the personal identifying information of its customers. The
complaint then went on to allege that Wyndham had failed to employ reasonable industry practices to safeguard guests’ data. Wyndham asked the court to dismiss the lawsuit, arguing that the Commission had overstepped its authority to regulate by claiming to have the right to enforce unwritten, unspecified data security standards against companies. Over a year after it was filed, the court denied Wyndham’s motion to dismiss in early 2014. The trial court specially certified the question of the FTC’s jurisdiction so that it could proceed immediately to appeal before the Third Circuit Court of Appeals. On August 24, 2015, the Third Circuit issued a decision affirming the trial court’s holding that the FTC had the power sue Wyndham, and thus the enforcement action will proceed.
If that were not enough, in May of 2014, a Wyndham shareholder brought a derivative action lawsuit against Wyndham. The claims in that lawsuit focus on the fiduciary liability of Wyndham’s board of directors for the data breaches themselves as well as the ensuing Federal Trade Commission lawsuit. The complaint alleges, among other things, that Wyndham failed to disclose the incident to shareholders in its financial filings in a timely manner. Wyndham has already filed a motion to dismiss the shareholder complaint, but no decision has been issued on that motion as of the time of the writing of this article.
The fallout and consequences to Wyndham from these events have been dire. Adverse impacts to Wyndham include harm to its image and reputation, the cost of notification of consumers and credit monitoring, legal fees and loss of goodwill among consumers, among other things.
What Can Be Learned From the Wyndham Breach Incidents?
Security experts and analysts are becoming more vocal in warning consumers and corporate America that data intrusions are unavoidable. It is becoming the accepted industry wisdom that a determined hacker can get into virtually any system, regardless of how well it is protected. Therefore, it is difficult to say that a good lesson to take away from the Wyndham data incidents is that hotel companies should attempt to make themselves invincible against cyber attacks. Moreover, hotels often have certain inherent vulnerabilities to data theft, including the requirement that their computer systems must often be tied to those of entities which they do not control. There is no easy solution to this circumstance.
Rather, industry experts, as well as lawmakers, are beginning to call for faster and better intrusion response as a defense – through implementing closer monitoring and tighter protocols to detect breaches earlier, and having detailed and rehearsed cyber incident response plans, to name a few. Data breach response plans should include, among other things: creation of an incident response team (company officers, general counsel, outside data breach response counsel, information technology
personnel, communications personnel, risk management personnel, etc.); a game plan for analyzing and containing a breach incident, including identification of forensic assessment and response firm; and, a plan for notifying affected individuals and government agencies where required. Speed in responding to an exposure or theft of information is a key component to reducing a company’s exposure after a breach. The Wyndham incidents underscore that delays in identifying breaches and shutting down exploited system vulnerabilities, in notifying affected people and consumer protection agencies, and in
notifying shareholders, can all lead to higher levels of exposure.
One way to mitigate some of the breach-related costs similar to those incurred by Wyndham is to carry cyber protection insurance. The use of cyber insurance is widely increasing as data breach incidents become more frequent and more broadly reported through the media. Cyber policies come in a wide variety of forms and costs. The scope of coverage and exclusions from coverage must be carefully assessed to make sure a company has reasonable protection in exchange for its premium payments.
In the end, hotel owners, management companies and brands may not be able to avoid becoming the victims of cyber attacks, much in the same way that Wyndham and its franchised hotels became victims. What hotel companies can control, and should strive to prepare for, is their readiness to respond.
Originally published on Monday, 09 June 2014
2722 views at time of republishing