U.S. regulators filed a complaint against Wyndham Worldwide Corp and three subsidiaries on Tuesday, alleging that a failure by the hospitality company to safeguard consumers' personal information led to more than $10 million lost to fraud.
The Federal Trade Commission said repeated failures to secure consumer data led to hundreds of thousands of consumers' payment card information being exported to an Internet domain address registered in Russia.
Wyndham, which operates several hotel brands, including the value-oriented Days Inn and Super 8, is one of a large number of organizations that acknowledged in the past three years that they had been hacked by people seeking either financial gain or intellectual property.
Other victims have included entertainment giant Sony , the International Monetary Fund, Google, Lockheed Martin and Citigroup.
In its complaint, the FTC said fraudulent charges on Wyndham's consumer accounts totaled more than $10.6 million following three data breaches in less than two years. The breaches occurred in April 2008, March 2009 and in late 2009, it said.
"Even after faulty security led to one breach... Wyndham still failed to remedy known security vulnerabilities; failed to employ reasonable measures to detect unauthorized access; and failed to follow proper incident response procedures," the FTC said.
Barry Goldschmidt, a vice president for investor relations at Wyndham, said the company offered affected customers credit-monitoring services while also strengthening its security systems.
Wyndham was unaware of any customers losing money because of the breach, he said.
In its complaint, the FTC asked the court to require Wyndham to live up to its privacy policies, provide restitution or refund money that customers paid and to pay the FTC's costs in filing the lawsuit.
The case is Federal Trade Commission v. Wyndham Worldwide Corporation et al, U.S. District Court for the District of Arizona, case no. 12-cv-1365.