Question

Wyndham Worldwide Corporation, which owns a global chain of hotels and resorts, suffered three data breaches in 2008 and 2009. Those breaches compromised the credit card information of more than 619,000 Wyndham customers.

The data breaches took place when hackers invaded the network of one of Wyndham's subsidiary companies. The entire Wyndham Hotel franchise used a common database system to collect customer information. In the first breach, hackers were able to gain access to Wyndham's corporate network via the subsidiary. In that breach, they installed memory-scraping malware on the Wyndham network servers and accessed consumer files in the common data database system. In the attack, more than 500,000 credit card numbers were exported to a Russian website.

The second breach took place almost a year later and used many of the same techniques used in the first breach. The hackers again installed memory scraping malware. They also reconfigured software to obtain clear text files of credit card numbers for Wyndham guests. The third breach took place about six months after the second breach, again using many of the same techniques as the first breach.

The Federal Trade Commission (FTC) investigated Wyndham's security practices following the breach. The FTC argued that Wyndham had a privacy policy that said that it took reasonable security measures to protect customer information. The FTC said that because Wyndham had been breached, these data security practices were deceptive and unfair.

In its complaint, the FTC alleged that much of the customer information in the Wyndham database was not encrypted, including credit card information. The FTC also alleged that Wyndham didn't have adequate firewalls, didn't patch its IT systems regularly, and allowed the use of default usernames and passwords to access its IT infrastructure.

Identify three to five PCI DSS requirements that Wyndham is alleged to have violated.

Answer 1

Wyndham is alleged to have violated several PCI DSS requirements including encryption of data, firewall configuration, regular patching, secure system configuration, and access control measures.

Step-by-step explanation:

The five PCI DSS requirements that Wyndham is alleged to have violated are:

1. Encryption of Data: The FTC alleged that much of the customer information in the Wyndham database was not encrypted, including credit card information.
2. Firewall Configuration: The FTC alleged that Wyndham didn't have adequate firewalls in place to protect customer information.
3. Regular Patching: The FTC alleged that Wyndham didn't patch its IT systems regularly, leaving them vulnerable to attacks.
4. Secure System Configuration: Wyndham allowed the use of default usernames and passwords to access its IT infrastructure, which is a violation of PCI DSS requirements.
5. Access Control Measures: The lack of encryption, firewall configuration, and regular patching all contribute to a failure in implementing proper access control measures to protect customer information.