What Does the Wyndham-FTC Settlement Mean for Travelers?


Not as much as we wanted.

Call it half a loaf – but, as usual, a half loaf is generally better than no loaf at all.

That’s the coda to the long running FTC actions against Wyndham, which operates Ramada, Days Inn, Super 8, Dream Hotels, and Wyndham Hotels. This got its start as far back as 2008 when, said the FTC, a team of Russian hackers breached Wyndham’s computers.

It got worse. According to the FTC the same gang returned in 2009 and made off with more account information. Wyndham suffered three breaches from the gang, by the FTC’s tally.

By the FTC’s reckoning, some 619,000 accounts were breached.

That is ugly.

It’s of course also too common in the hotel business, where recent months have seen Trump, Mandarin Oriental, Hilton, Starwood and White Lodging (for a second time)  victimized in breaches. Hundreds of thousands of us – maybe millions – have had our credit card data stolen from the hotels to whom we entrusted it.

Independent security experts have also told me that – in addition to the hotels known to have been breached – very probably there are many more that have been breached but so far the breach has gone undetected. What this comes down to is a fundamental failure by many hoteliers to take customer privacy seriously.  They insist on a guest offering a credit card on check in – I think it must be 40 years ago when I last checked in without proffering a credit card and in that case a Fortune 25 company’s travel department had booked the room and was on the hook for the charges.

And then the hotel too often fails to protect that credit card data.

The Wyndham-FTC dance is important because this is the breach that has made it into the courts and nobody had thrown out the FTC’s right to badger Wyndham.  So there was reason to hope for clarity and strong guidelines regarding a hotel’s obligation to protect guest personal and credit card information.

Did that happen?

In its press release the FTC said that Wyndham had settled with the agency.  It added: “The proposed stipulated federal court order requires Wyndham Hotels and Resorts to obtain annual security audits of its information security program that conform to the Payment Card Industry Data Security Standard for certification of a company’s security program.  In addition, the order requires Wyndham’s audit to:

     * certify the ‘untrusted’ status of franchisee networks, to prevent future hackers from using the same method used in the company’s prior breaches;

  • certify the extent of compliance with a formal risk assessment process that will analyze the possible data security risks faced by the company;
  • and certify that the auditor is qualified, independent and free from conflicts of interest.”

Probably the best bit is this: “The order also requires that in the event Wyndham suffers another data breach affecting more than 10,000 payment card numbers, they must obtain an assessment of the breach and provide that assessment to the FTC within 10 days.”  

Wyndham also agreed to follow this regimen for 20 years.

For its part, Wyndham, in a statement, said: “We are pleased to reach this settlement with the FTC, which does not hold Wyndham liable for any violations, nor require Wyndham to pay any monetary relief.”

What is especially annoying about the settlement is this: “The consent order applies only to payment card information, and does not apply to any other categories of personally identifiable information,” said Wyndham.

That would seem to mean that loyalty program information, driver’s license numbers, home addresses, phone numbers and much of the rest of the personal information collected at check-in is not covered by the settlement.

The FTC nonetheless applauded its outcome.  “This settlement marks the end of a significant case in the FTC’s efforts to protect consumers from the harm caused by unreasonable data security,” said FTC Chairwoman Edith Ramirez in a statement. “Not only will it provide important protection to consumers, but the court rulings in the case have affirmed the vital role the FTC plays in this important area.”

That just maybe is the plus.  The government apparently is gaining clout in going after companies that have been breached and it about time.  Because more companies – more hotels in particular – will be breached and we travelers need all the powerful friends we can gather to help protect our privacy.  

The Sabre Breach: How to Keep Your Travel Plans Private

The Sabre breach has to shake you. Apparently millions of hotel and airline bookings may have been hoovered out of the onetime American Airlines subsidiary, probably by the same gang of China state sponsored cybercriminals who are said to have been behind many other huge recent breaches at United, the US Office of Personnel Management, Anthem, and many more.

Exact details of the Sabre breach are, as always, sparse.   Said the company in a statement: “We recently learned of a cybersecurity incident, and we are conducting an investigation into it now. At this time, we are not aware that this incident has compromised sensitive protected information, such as credit card data or personally identifiable information, but our investigation is ongoing.”

American Airlines is apparently investigating if the hackers backed into the AA computers via Sabre. The two companies are said to share some computer infrastructure.

Even without the extra AA data, the Sabre data haul alone could be in the billions of travel records.  Then add in an apparent – and possibly huge breach of passenger records at United.  Almost certainly your information is in this very large mix.  Should you be worried?

What is obvious is that somebody – and most fingers point to China – is building an enormous database on America’s citizenry that comprises health records, employment records, personal details, and now quite possibly extensive travel records.

Nobody presently has any clue what the intent of the information gatherers is.  That has to make us all worry.

There also are obvious – deeply troubling – uses to a storehouse of travel plans. These records are gold to anybody who wants to track spies, suspected spies, handlers, and – say – M&A artists.

What can you do to protect the privacy of your travel data?  Not very much. That’s the sad truth.

But there are small steps we can take to conceal our flight and hotel plans.

In bygone years – pre 9/11 – many celebrities and even some ultra rich and executives routinely traveled under fake names.  They checked into hotels under pseudonyms and they flew under similar.

That just is not viable today, at least not for commercial air when the TSA demands positive ID and an airline ticket issued in the name on the ID.

Could a high-roller fool the system by buying a cheap SFO to LAX flight, showing that ticket and his/her real ID to TSA…then discarding that tickets and pulling out a ticket to Newark in the name of Daffy Duck?

Probably.  But for how long? And how many of us want to suffer the expense just to cover up our wanderings?

And it wouldn’t work at all for international travel.

For those who crave privacy, private planes are the only real option – and for many who want this privacy, the price is not a barrier.  When mum has to be the word, go private.

That’s one way to foil the breachers,

What about self-defense in hotels?

I cannot remember the last time I was not asked to produce a photo ID to check into a hotel. Why?

There apparently is no body of law requiring hotels in the US to verify a guest’s identity with a photo ID.

Of course, hotels – ever wary of credit card fraud – want to believe checking IDs will reduce fraud (has it? Of course not).

But that does not give them the right to demand I prove my identity to claim my bed. Or sometimes just to walk into the lobby.

Maybe we should all just stop playing along with the hotels’ identify demand – especially since there are no good reasons to believe hotels are good securers of our information (from ID to credit card data).

Just say no.

The only way to protect oneself from an unknown adversary who is sucking up as much information as he can is to get stingy about leaving traces of it, especially in places that do not need it – and, for me, in travel the obvious places that have no real need for a lot of identifying data is hotels.