The breach of Wyndham's computers was described in a Federal Trade Commission lawsuit filed this week against the company and three subsidiaries for alleged security failures that led to the three data breaches between April 2008 and January 2010. The failures caused "the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia" and millions of dollars in fraudulent charges on consumers' accounts, the FTC said.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records.
Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat from cyber-criminals," according to the report.
Wyndham said in an emailed statement to The Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported," an apparent reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
Network infrastructure company Verisign reported in late October, just a few weeks after the SEC issued the guidance, that there had been several successful cyberattacks against its corporate networks in 2010. In the filing, Verisign said the company's management had not been informed of the attacks until September 2011.
LinkedIn, the online networking service, publicly announced on June 12 the online theft of 6.5 million user passwords. It said the announcement complies with its obligations to the SEC, but it has yet to file a report about the incident with the commission.
The new SEC guidance puts pressure on companies to decide whether to disclose a breach or keep it secret, said Jody Westby of Global Cyber Risk, a consulting firm. But she said the demand for information amounts to locking the door after the house has been robbed.
"The SEC would have done better to require all public companies to say whether they've taken actions to implement a security program," Westby said.
Associated Press researcher Julie Reed contributed to this report.
SEC disclosure guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- 10 things to know about corporate inversions
- Running again? Mitt Romney tells Hugh Hewitt...
- It's about time the government recognize the...
- Freelancers and millennials help usher in the...
- Obama tamps down prospect of strikes in Syria
- A New York Times article said Michael Brown...
- University of Phoenix founder dies, leaving...
- Ukraine accuses Russia of sending in tanks,...
- A New York Times article said Michael... 43
- Running again? Mitt Romney tells Hugh... 36
- 10 things to know about corporate... 31
- For the first time in American history,... 30
- Doug Robinson: When did Missouri turn... 24
- Why the poverty cycle is harder to... 15
- Obama tamps down prospect of strikes in... 14
- Winning plaintiffs in 3 states want... 14