The breach of Wyndham's computers was described in a Federal Trade Commission lawsuit filed this week against the company and three subsidiaries for alleged security failures that led to the three data breaches between April 2008 and January 2010. The failures caused "the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia" and millions of dollars in fraudulent charges on consumers' accounts, the FTC said.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records.
Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat from cyber-criminals," according to the report.
Wyndham said in an emailed statement to The Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported," an apparent reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
Network infrastructure company Verisign reported in late October, just a few weeks after the SEC issued the guidance, that there had been several successful cyberattacks against its corporate networks in 2010. In the filing, Verisign said the company's management had not been informed of the attacks until September 2011.
LinkedIn, the online networking service, publicly announced on June 12 the online theft of 6.5 million user passwords. It said the announcement complies with its obligations to the SEC, but it has yet to file a report about the incident with the commission.
The new SEC guidance puts pressure on companies to decide whether to disclose a breach or keep it secret, said Jody Westby of Global Cyber Risk, a consulting firm. But she said the demand for information amounts to locking the door after the house has been robbed.
"The SEC would have done better to require all public companies to say whether they've taken actions to implement a security program," Westby said.
Associated Press researcher Julie Reed contributed to this report.
SEC disclosure guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- 'Deseret News National Edition': Hobby Lobby,...
- Man seeks video of 1995 Oklahoma City...
- Obama maintains busy fundraising schedule,...
- Fast food workers vow civil disobedience
- Taiwan plane crash survivor crawls out of...
- Plan to simplify 2015 health renewals may...
- A new initiative from the Obama...
- Bills aim to bring marriage, family law into...
- Hamas calls for end to blockade of Gaza... 25
- Federal land managers criticized over... 24
- Obama fundraises for Dems; demands GOP... 21
- Feds cap fines for not buying health... 21
- Obama maintains busy fundraising... 18
- Ted Cruz demands answers on FAA flight... 16
- After government topples crosses in... 14
- Varying health premium subsidy amounts... 13