Are You Booked in a Hacker-Friendly Hotel?

If you’re making hotel reservations for spring and summer, take heed of Consumer Reports’ new travelers’ advisory: Be careful at hacker-friendly hotels, which leave the welcome mat out for data thieves by failing to comply with even the most rudimentary data security safeguards.

As recently as five years ago, Wyndham Worldwide, with about 7,000 hotels under a dozen well-known brands, let Russian hackers steal data involving 619,000 accounts of customers who stayed at 41 Wyndham-branded hotels, not just once—in April, 2008—not just a second time—in March, 2009—but also a third time later that same year, according to a Federal Trade Commission first amended complaint filed in 2012. The theft led to $10.6 million in unauthorized charges.

The Wyndham case is part of a broader FTC effort to ensure that companies live up to their promises to protect sensitive consumer information, which has led to 32 actions against corporations and organizations.

The FTC’s complaint chronicles data security lapses that were more reckless than a preteen friending adult strangers on Facebook, including:

Wyndham tried to have the case dismissed on grounds that the FTC has no authority to regulate deceptive acts and practices involving data security practices. A New Jersey U.S. District Court judge didn’t see it that way and earlier this month allowed the FTC action to proceed.

Wyndham declined Consumer Reports’ request for an interview. “The Court made no decision on liability, which will be determined later as the case now moves forward,” said Michael Valentino, vice president of marketing and communications for Wyndham Worldwide. "We continue to believe the FTC lacks the authority to pursue this type of case against American businesses, and has failed to publish any regulations that would give such businesses fair notice of any proposed standards for data security. We intend to defend our position vigorously.”

In an e-mail statement, Edith Ramirez, chairwoman of the FTC, said the case will proceed. “I’m pleased that the court has recognized the FTC’s authority to hold companies accountable for safeguarding consumer data, and we look forward to trying this case on the merits," she said. "Companies should take reasonable steps to secure sensitive consumer information. When they do not, it is not only appropriate, but critical, that the FTC take action on behalf of consumers.”

Now, David Durko, former director of Wyndham’s security compliance management, says that many independently owned and operated Wyndham hotels doing business under the Super 8 brand name don’t comply with Payment Card Industry Data Security Standards.

Durko says the Wyndham Hotel Group hired him in response to the three breaches that became the focus of the FTC complaint. He worked there for a year and a half as a PCI consultant, then for another two years as director of security compliance, according to his LinkedIn profile. Durko says he and Wyndham parted on amicable terms.

PCI DSS is the first line of defense against credit and debit card data theft. The major credit card brands require every business that accepts their cards for payment to be PCI DSS compliant and created the Payment Card Industry Security Standards Council to establish minimum standards and practices that businesses must follow to properly protect consumer data.

But American Express, MasterCard, and Visa were not immediately available for interviews to discuss how the self-regulatory system they created protects consumers. Discover, meanwhile, declined our request for an interview. “Unfortunately we don't have anything to discuss regarding this topic at this time,” said Abbe Kalina, a Discover representative.

If you start finding fraudulent charges on your credit or debit card account after your vacation, you can protect yourself the same way you responded to the Target data breach, but you don't need to buy identity protection services.

But Durko, now CEO of Security Validation, a New Jersey-based data security consulting firm, is talking, and he says his examiners telephoned the owners or general managers of 300 Super 8 hotels, a 10 percent sample of the chain’s 2,979 locations, and “asked if they were PCI compliant." "Their overwhelming response was ‘no’, or ‘we don’t know’, or ‘Wyndham takes care of that’,” Durko said.

Security Validation also publishes PrivacyAtlas.com, a new website that aims to give consumers a tool to check the PCI DSS compliance of thousands of major chain hotel locations. We found independent support for Durko’s claim with a representative of more than 800 Super 8 hotel owners. "Wyndham is responsible for PCI compliance," said Jay Patel, president of the Owners 8 Association, which describes itself as “the voice of Wyndham franchisees” and “an outspoken advocate” of 1,500 mostly small, family owned Super 8 and other Wyndham hotels.

Patel says Wyndham is responsible because, in 2009, the hospitality giant mandated that its franchisees purchase the SoftHotel property management system that handles payment card transactions. “Everything gets processed through the Wyndham system, and that hardware and software are purchased through Wyndham," Patel said. "The franchisees are required to use that system."

But Wyndham tells a different story. While Wyndham Hotel Group has received third party certification for its own corporate PCI compliance, “Each hotel in the Super 8 chain is independently owned and operated, and as with all merchants, is separately required to be PCI compliant under its contract with its individual payment card processor,” Valentino said.

The finger pointing exposes a troubling gap: With Wyndham and the hotel owners disavowing responsibility for Super 8 hotel PCI compliance, neither seems to be ensuring security at all the sites.

Our findings suggest that you should take steps to protect yourself when staying at Super 8 in particular and any hotel in general:

  • When checking in, ask the owner or manager to show you the hotel’s “Attestation of Compliance,” a document that the business is required to have, which shows that it met minimum standards for data security as of the date of the report. We see no reason why any business should hide this document from paying customers who give them their personal and payment card information.
  • If the hotel can’t or won’t show you its AOC, pay by credit card instead of debit card, because, if the hotel attracts a security breach, it's easier to resolve unauthorized credit charges and replace a compromised card than it is to repair debit card fraud, which can drain funds from your underlying checking account and set off a cascade of overdraft fees and late payment charges.
  • Avoid paying by debit card at suspect hotels. But if you must use your debit card, use it as a credit card, which means that you select the “credit” option on many card readers—even though you’re using a debit card—and sign to authorize your payment instead of punching in a PIN number. Some terminals don’t give you the “credit” option; with these, you swipe your card, then, when you’re prompted to provide a PIN, press “cancel” and tell the cashier you want to sign for your transaction. Yes, hackers could still steal your data, clone your debit card, and use it like a credit card—just as you did—to make unauthorized charges, but they won't have your PIN to withdraw cash via an ATM.

––Jeff Blyskal

Copyright © 2005-2014 Consumers Union of U.S., Inc. No reproduction, in whole or in part, without written permission. Consumer Reports has no relationship with any advertisers on this site.