Wyndham Hotels and Resorts on Monday lost its bid to stop the Federal Trade Commission from suing the hotelier for allegedly failing to secure its computers from Russian hackers, according to Bloomberg.
The U.S. Court of Appeals for the Third Circuit in Philadelphia denied Wyndham’s motion to dismiss the case. Wyndham argued that that the company was also a victim of the hackings and was being penalized unfairly, Bloomberg said.
The FTC contends it has the power to bring enforcement actions against companies it believes failed to take reasonable steps to prevent breaches. The commission sued Wyndham in June 2012, “claiming that the company’s computer systems unreasonably and unnecessarily exposed consumer data to the risk of theft,” according to CNBC.
Among the practices the FTC accused Wyndham of were failure to use readily available security measures, such as firewalls; storage of credit card information in clear text; failure to require employees to use complex user IDs and passwords to access company servers; and failure to reasonably limit third-party access to company networks and computers.
The appeals court rejected Wyndham’s argument that the company lacked “fair notice” that its practices fell short of what the FTC could require.
The attacks on the company’s computer network occurred in 2008 and 2009. While Wyndham subsequently hired five groups of consultants after the attacks, none could determine how the hackers breached the system.
The breaches compromised more than 619,000 card accounts with many of those numbers exported to a domain registered in Russia. Fraudulent charges on accounts led to more than $10.6 million in losses.