The breach of Wyndham's computers was described in a Federal Trade Commission lawsuit filed this week against the company and three subsidiaries for alleged security failures that led to the three data breaches between April 2008 and January 2010. The failures caused "the export of hundreds of thousands of consumers' payment card account information to an Internet domain address registered in Russia" and millions of dollars in fraudulent charges on consumers' accounts, the FTC said.
Wyndham didn't mention the break-ins in its 2011 annual report or prior securities filings, according to an Associated Press review of the records.
Wyndham's 2011 annual report said the "hospitality industry is under increasing attack by cyber-criminals in the U.S. and other jurisdictions in which we operate" and noted that it was involved in "claims relating to information security and data privacy." Wyndham spent $13 million more on security improvements and expects to spend as much as $100 million in 2012 to guard against "the increasingly aggressive global threat from cyber-criminals," according to the report.
Wyndham said in an emailed statement to The Associated Press that it "fully complied with SEC regulations in regards to the disclosure of material events." In the statement, Wyndham said the incidents were "previously reported," an apparent reference to notices to consumers that were published on the company's website. The company also said the FTC's claims were without merit.
Network infrastructure company Verisign reported in late October, just a few weeks after the SEC issued the guidance, that there had been several successful cyberattacks against its corporate networks in 2010. In the filing, Verisign said the company's management had not been informed of the attacks until September 2011.
LinkedIn, the online networking service, publicly announced on June 12 the online theft of 6.5 million user passwords. It said the announcement complies with its obligations to the SEC, but it has yet to file a report about the incident with the commission.
The new SEC guidance puts pressure on companies to decide whether to disclose a breach or keep it secret, said Jody Westby of Global Cyber Risk, a consulting firm. But she said the demand for information amounts to locking the door after the house has been robbed.
"The SEC would have done better to require all public companies to say whether they've taken actions to implement a security program," Westby said.
Associated Press researcher Julie Reed contributed to this report.
SEC disclosure guidance: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
- The Latest: Defiant Kentucky clerk goes to...
- Kentucky clerks to license marriages as their...
- President Uchtdorf dedicates addition to...
- Gold fever hits Poland with possible...
- Trump vows no third-party bid, will back GOP...
- Disney unveils Star Wars toys amid marketing...
- FamilySearch opens new Seattle Family...
- Video: Key and Peele show what it would look...
- Kentucky clerk still won't issue... 129
- The Latest: Defiant Kentucky clerk goes... 114
- Kentucky clerks to license marriages as... 79
- Compromise could fix Kentucky's wedding... 62
- Latest Clinton emails show frustrations... 26
- In Alaska, Obama depicts stark future... 21
- Obama gets Iran deal win as Senate Dems... 21
- AP sources: GOP seeks pledge to avert... 20