The breach of Wyndham's computers was described in a Federal Trade Commission lawsuit filed this week against the company and three subsidiaries for alleged security failures that led to the three data breaches between April 2008 and January 2010. The failures caused "the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia" and millions of dollars in fraudulent charges on consumers' accounts, the FTC said.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records.
Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat from cyber-criminals," according to the report.
Wyndham said in an emailed statement to The Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported," an apparent reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
Network infrastructure company Verisign reported in late October, just a few weeks after the SEC issued the guidance, that there had been several successful cyberattacks against its corporate networks in 2010. In the filing, Verisign said the company's management had not been informed of the attacks until September 2011.
LinkedIn, the online networking service, publicly announced on June 12 the online theft of 6.5 million user passwords. It said the announcement complies with its obligations to the SEC, but it has yet to file a report about the incident with the commission.
The new SEC guidance puts pressure on companies to decide whether to disclose a breach or keep it secret, said Jody Westby of Global Cyber Risk, a consulting firm. But she said the demand for information amounts to locking the door after the house has been robbed.
"The SEC would have done better to require all public companies to say whether they've taken actions to implement a security program," Westby said.
Associated Press researcher Julie Reed contributed to this report.
SEC disclosure guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- As Ferguson verdict is read, protesters in...
- Grand jury won't indict Ferguson cop in shooting
- Ferguson businesses torched in overnight...
- In New Zealand, feud over fate of 1902 corpse...
- Why Salt Lake City is one of the best cities...
- Latinos are 'very optimistic' about America's...
- At least 17 killed in Egypt by building collapse
- Facing health law hikes, consumers mull options
- As Ferguson verdict is read, protesters... 62
- Grand jury won't indict Ferguson cop in... 30
- Obama: Americans want 'new car smell'... 29
- Fact check: Obama's claims on illegal... 18
- Winners and losers under Obama's... 18
- Under pressure, Hagel steps down as... 15
- Boehner: 'We will not stand idle' on... 14
- Obama immigration plan good, not great... 13