The breach of Wyndham's computers was described in a Federal Trade Commission lawsuit filed this week against the company and three subsidiaries for alleged security failures that led to the three data breaches between April 2008 and January 2010. The failures caused "the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia" and millions of dollars in fraudulent charges on consumers' accounts, the FTC said.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records.
Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat from cyber-criminals," according to the report.
Wyndham said in an emailed statement to The Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported," an apparent reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
Network infrastructure company Verisign reported in late October, just a few weeks after the SEC issued the guidance, that there had been several successful cyberattacks against its corporate networks in 2010. In the filing, Verisign said the company's management had not been informed of the attacks until September 2011.
LinkedIn, the online networking service, publicly announced on June 12 the online theft of 6.5 million user passwords. It said the announcement complies with its obligations to the SEC, but it has yet to file a report about the incident with the commission.
The new SEC guidance puts pressure on companies to decide whether to disclose a breach or keep it secret, said Jody Westby of Global Cyber Risk, a consulting firm. But she said the demand for information amounts to locking the door after the house has been robbed.
"The SEC would have done better to require all public companies to say whether they've taken actions to implement a security program," Westby said.
Associated Press researcher Julie Reed contributed to this report.
SEC disclosure guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- 25 of the craziest — and cutest —...
- Bill Cosby said he got drugs to give women...
- Bakery ordered to pay $135,000 for mental,...
- Idaho's gay marriage ban remains in state...
- 2 Americans, 1 Briton gored in 1st Pamplona...
- Polygamous Montana trio applies for wedding...
- Fraying family ties cut to heart of theater...
- Lloyd hat trick leads United States over...
- Bakery ordered to pay $135,000 for... 76
- Idaho's gay marriage ban remains in... 38
- Did the news media show bias in its... 24
- Obama's counterterrorism policy facing... 22
- Ten Commandments decision prompts... 19
- Catholic leaders press GOP to heed pope... 15
- Rubio, Christie planning sleepover with... 12
- Obama draws sharp contrasts with 'mean'... 11