According to reports, sometime between October 09 and January of this year, hackers broke into databases associated with the Wyndham Hotels and Resorts (WHR). This is the third time that the hotel chain has suffered a data breach within a year, and this time the hackers stole customer names and payment card information. What the hotel is saying through an open letter and associated FAQs creates more questions about how exactly this company is safeguarding all data and what rights (if any) customers have to knowledge of data theft affecting their accounts.
In its FAQs, the hotel states that guests who had stayed at a Wyndham hotel contacted the chain regarding fraudulent use of their cards. Based on this feedback, the hotel went back through its system and discovered the breach. In simple terms, the hotel was not aware of the breach until the data had been stolen and used fraudulently. It would seem that the next logical step that the chain would take would be to notify all of the owners of the compromised data, which the hotel has identified.
What Wyndham did instead is to inform the Secret Service and to provide the card information to the credit card companies, advising them to watch for suspicious activity. Wyndham claims that it does not have the addresses of the affected individuals so it cannot contact them. It would seem that the hotel chain is shifting the burden to the card companies and doing only what is legally required. The people who suffer are the customers, who need to check their bills for fraudulent charges or hope that the card companies are checking for suspicious activity. It would seem that every customer should have the right to know immediately if his / her data has been stolen.
As for the hotel’s mention of hiring a PCI firm to check the revised security, the hotel could very well have been PCI compliant at the time of the breach. PCI does not equal safe data.