<img src="https://secure.leadforensics.com/32105.png" style="display:none;">

Cybersecurity News, Advice and Opinion

Weak passwords cost hotel chain lawsuit

Posted by Norman on Jul 3, 2012 1:56:00 PM
Find me on:

The Wyndham Hotel Group franchise has 6,900 hotels across 13 brands in 50 countries.

The Federal Trade Commission is suing Wyndham Hotels after their lax password policies resulted in more than 500,000 customers having their credit card details compromised.

The breaches are believed to have led to more than $10 million in fraud losses.

The FTC claim “Wyndham’s privacy policy misrepresented the security measures that the company and its subsidiaries took to protect consumers’ personal information”.

Basic mistakes

Weak admin passwords enabled hackers to easily gain access to the Wyndham systems. Once in, the hackers installed software to capture customer details – a process which went undetected for months.

In one instance, Wyndham employees using a program made by Micros Systems simply used “micros” as both the username and password of the account, making it easy for hackers to gain access.

In all, 500,000 customers had their credit card details and other personal information captured.

Passwords which are chosen for convenience are notoriously easy to guess or crack. Even using password tricks such as substituting letters for similar looking numbers presents no barrier to hackers.

Easily avoided

Wyndham Hotels announced that they have made “significant enhancements to [their] information security” following the incidents. However, had they taken the simple precaution of employing strong passwords across their systems it’s likely that the whole incident could have been avoided. Using strong, long passwords protect systems by increasing the number of possible permutations, making them much more difficult to crack. As a consequence, brute force attacks against the system can take years to work through all possible password combinations, even using supercomputers.

Using different passwords across systems isolates exposure should one password be compromised. In the recent LinkedIn hack the people most-affected were those who used their LinkedIn password across multiple accounts. Not only did the hackers gain access to their LinkedIn accounts, but they gained access to other accounts where the same password was used.

Corporate security comprises a whole gamut of measures across all infrastructure facets. Where there is a reliance on password authentication, failure of businesses to take the precautions of using strong, unique passwords means they are effectively leaving the key under the doormat and inviting intruders. Not only are companies risking their users’ information, but their own reputation also.

Changing weak passwords to strong ones, and prohibiting the use of the same password across multiple systems are easy ways to increase security. It shouldn't be cost-prohibitive either, as free password manager solutions such as my1login can be used to generate these complex passwords to thwart intruders.


Further Reading

Topics: Articles

White Papers