Many in the security community are concerned that this is another example of government over-reach. However, when viewed another way, this particular ruling can have a broader positive impact for the information security profession.
Wyndham stated on its website that it used industry standard protection, including 128-bit encryption and firewalls:
We safeguard our Customers’ personally identifiable information by using industry standard practices… Currently, our Web sites utilize a variety of different security measures designed to protect personally identifiable information from unauthorized access by users both inside and outside of our company, including the use of 128-bit encryption based on a Class 3 Digital Certificate issued by Verisign Inc. This allows for utilization of Secure Sockets Layer, which is a method for encrypting data. This protects confidential information — such as credit card numbers, online forms, and financial data — from loss, misuse, interception and hacking. We take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards.
Unfortunately, Wyndham Hotels was hacked, not once, or twice, but three times, resulting in a loss of 619,000 consumer records, and causing $10.6 million in loss due to fraud.
Furthermore, it was proven that Wyndham did not merely use inadequate security. Rather, Wyndham Hotels had no such security in place. You read that correctly. The hotel chain had zero encryption and no firewalls at all.
The problem that the Federal Trade Commission addressed was not one of cyber security, but of unfairness to the consumer. A consumer simply had no fair way of knowing that Wyndham Hotels was overstating its security. “Overstating” seems to be a euphemism, but most Federal Agencies are resistant to referring to the defendant as prone to telling downright lies.
The most humorous part of Wyndham’s defense is that it claimed that by allowing the FTC to regulate Wyndham’s conduct, it could extend to the FTC suing supermarkets that are “sloppy about sweeping up banana peels”.
Seriously, they presented that to a federal court as a defense! The court indicated that any supermarket that leaves so many banana peels lying around that it may jeopardize the safety of 619,000 customers would hardly be immune to liability.
So, how can all of this help the information security profession? This helps because a corporation can no longer falsely claim that they use security measures when none are in place. Corporations will have to engage with security professionals who can offer them guidance and advice.
This may also require security professionals to become accountable for their advice, which can raise the profession as a whole as well as correcting the public perception that Information Security professionals are just a bunch of hoodie-wearing hackers.
Progress has always been slow in the Infosec profession. The FTC ruling will not cause a dramatic acceleration in security practices of many corporations, but it is perhaps the kick-start that is needed to move both corporate security as well as the Infosec profession in a positive direction.
Beware of those banana peels, friends.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.