First Amended Complaint For Injunctive And Other Equitable Relief [PDF – 22 Pages] 004270 1 120809wyndhamcmpt

User Manual: 004270-1

Open the PDF directly: View PDF .
Page Count: 23

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 1 of 22

1 Willard K. Tom

General Counsel

2 Lisa Weintraub Schifferle (DC Bar No. 463928)

Kristin Krause Cohen (DC Bar No. 485946)

3 Kevin H. Moriarty (DC

BarNo.

975904)

Katherine E. McCarron (DC Bar No. 486335)

4 John A. Krebs (MA Bar No. 633535)

Andrea

V.

Arias (DC Bar

No.1

004270)

5 Federal Trade Commission

600 Pennsylvania Ave,

NW

Mail Stop NJ-8100

6 Washington, D.C. 20580

Facsimile: (202) 326-3062

7 E-mail: lschifferle@ftc.gov

Telephone: (202) 326-3377

8 Attorneys for Plaintiff Federal Trade Commission

9

10

IN THE UNITED STATES DISTRICT COURT

FOR THE DISTRICT

OF

ARIZONA

11

12

)

Federal Trade Commission, )

13

)

Plaintiff, )

14

)

v.

)

15

)

Wyndham Worldwide Corporation, a Delaware )

16

corporation; )

)

17

Wyndham Hotel Group, LLC, a Delaware )

limited liability company; )

18

)

Wyndham Hotels and Resorts, LLC, a Delaware)

19

limited liability company; and )

)

20 Wyndham Hotel Management, Inc., a )

Delaware Corporation, )

21

)

Defendants. )

22 )

No. CV 12-1365-PHX-

PGR

FIRST AMENDED

COMPLAINT FOR

INJUNCTIVE AND

OTHER EQUITABLE

RELIEF

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 2 of 22

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

Plaintiff, the Federal Trade Commission ("FTC"), for its Complaint alleges:

1.

The

FTC

brings this action

under

Section 13(b)

of

the Federal Trade

Commission

Act

("FTC

Act"),

15

U.S.C. § 53(b), to obtain permanent injunctive

relief

and

other equitable

relief

for Defendants' acts

or

practices in violation

of

Section 5(a)

of

the

FTC

Act,

15

U.S.C. § 45(a), in connection with Defendants'

failure to maintain reasonable and appropriate data security for consumers'

sensitive personal information.

2.

Defendants' failure to maintain reasonable security allowed intruders

to obtain unauthorized access to the computer networks

of

Wyndham Hotels and

Resorts, LLC,

and

several hotels franchised and managed

by

Defendants

on

three

separate occasions

in

less

than

two years. Defendants' security failures

led

to

fraudulent charges

on

consumers' accounts, more

than

$10.6 million

in

fraud loss,

and the export

of

hundreds

of

thousands

of

consumers' payment card account

information to a

domain

registered in Russia.

In

all three security breaches,

hackers accessed sensitive consumer data

by

compromising Defendants' Phoenix,

Arizona data center.

JURISDICTION AND

VENUE

3.

This Court

has

subject matter jurisdiction pursuant to 28 U.S.C.

19 §§ 1331, 1337(a), and 1345, and 15 U.S.C. §§ 45(a)

and

53(b).

20

4. Venue is

proper

in

this district

under

28 U.S.C. § 1391(b), (c), and

21

15

U.S.C. § 53(b).

22

- 2 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 3 of 22

1

2

3

4

5

6

7

8

9

10

PLAINTIFF

5.

The

FTC

is

an

independent agency

of

the United States

Government

created

by

statute.

15

U.S.C. §§ 41-58. The

FTC

enforces Section 5(a)

of

the

FTC

Act,

15

U.S.C. § 45(a), which prohibits unfair

or

deceptive acts

or

practices

in

or

affecting commerce.

6.

The

FTC

is authorized to initiate federal district court proceedings,

by

its

own

attorneys, to enjoin violations

ofthe

FTC

Act

and to secure

such

equitable

relief

as

may

be

appropriate

in

each case.

15

U.S.C. § 53(b).

DEFENDANTS

7.

Defendant

Wyndham

Worldwide Corporation

("Wyndham

11

Worldwide") is a Delaware corporation

with

its principal office

or

place

of

12 business at 22 Sylvan Way, Parsippany,

New

Jersey 07054.

At

all times material

13

to this Complaint,

Wyndham

Worldwide has

been

in the hospitality business,

14 franchising

and

managing hotels throughout the United States.

Wyndham

15

Worldwide transacts

or

has

transacted business

in

this district

and

throughout the

16

United

States.

At

all relevant times, it has controlled the acts

and

practices

of

its

17 subsidiaries described

below

and

approved

of

or

benefitted from such subsidiaries'

18 acts and practices at issue in this Complaint. See Exhibit A for

an

organizational

19 chart depicting the entities

named

as Defendants

in

this Complaint.

20

8.

Defendant

Wyndham

Hotel Group,

LLC

("Hotel Group") is a

21 Delaware limited liability company

with

its principal office

or

place

of

business at

22 22 Sylvan Way, Parsippany,

New

Jersey 07054. Hotel Group operates a data

- 3 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 4 of 22

1 center in Phoenix, Arizona (the "Phoenix data center") that it uses to store and

2 process payment card data, and the payment card data

of

some

of

its subsidiaries,

3 including Wyndham Hotels and Resorts, LLC. Hotel Group

is

a wholly-owned

4 subsidiary

of

Wyndham Worldwide, and through its subsidiaries it franchises and

5 manages approximately 7,000 hotels under twelve hotel brands, one

of

which is

6 the Wyndham brand.

It

transacts or has transacted business in this district and

7 throughout the United States.

At

all relevant times, Hotel Group has controlled

8 the acts and practices

of

its subsidiaries described below and approved

of

or

9 benefitted from such subsidiaries' acts and practices at issue in this Complaint.

10

9.

Defendant Wyndham Hotels and Resorts, LLC ("Hotels and

11

Resorts") is a Delaware limited liability company with its principal office

or

place

12

of

business at 22 Sylvan Way, Parsippany,

New

Jersey 07054. Hotels and Resorts

13

is a wholly-owned subsidiary

of

Hotel Group. Throughout the relevant time

14

period, Hotels and Resorts has licensed the Wyndham name to independent hotels

15

through franchise agreements, and provided various services to those hotels,

16

including information technology services.

At

all times material to this

17

Complaint, Hotels and Resorts has licensed the Wyndham name to approximately

18

seventy-five independently-owned hotels under franchise agreements. Hotels and

19

Resorts transacts or has transacted business in this district and throughout the

20 United States, including franchising hotels located in Arizona. At all relevant

21

times, Hotel Group and Wyndham Worldwide have performed various business

22 functions on behalf

of

Hotels and Resorts, or overseen such business functions,

-4-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 5 of 22

1 including legal assistance, human resources, finance, and information technology

2 and security. Hotel Group and Wyndham Worldwide controlled the acts and

3 practices

of

Hotels and Resorts that are at issue in this Complaint.

4

10

. Defendant Wyndham Hotel Management, Inc. ("Hotel

5 Management") is a Delaware corporation with its principal office or place

of

6 business at 22 Sylvan Way, Parsippany, New Jersey 07054. Hotel Management

is

7 also a wholly-owned subsidiary

of

Hotel Group. Like Hotels and Resorts, Hotel

8 Management licenses the Wyndham name to independently-owned hotels, but

9 does so under management agreements in which it agrees

to

fully operate the hotel

lOon

behalf

of

the owner. At all times material to this Complaint, Hotel

11

Management has licensed the Wyndham name to approximately fifteen

12

independently-owned hotels under management agreements. Hotel Management

13

transacts or has transacted business in this district and throughout the United

14

States, including managing at least one hotel in Arizona. At all relevant times,

15

Hotel Group and Wyndham Worldwide have performed various business

16

functions on Hotel Management's behalf, or overseen such business functions,

17

including legal assistance and information technology and security. Hotel Group

18

and Wyndham Worldwide controlled the acts and practices

of

Hotel Management

19

that are at issue in this Complaint.

20

11.

Defendants Wyndham Worldwide, Hotel Group, Hotels and Resorts,

21

and Hotel Management have operated

as

a common business enterprise while

22 engaging in the unfair and deceptive acts and practices alleged in this Complaint.

- 5 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 6 of 22

1 Defendants have conducted their business practices described below through an

2 interrelated network

of

companies that have common ownership, business

3 functions, employees, and office locations. Because these Defendants have

4 operated

as

a common enterprise, they are jointly and severally liable for the

5 unfair and deceptive acts and practices alleged below.

6

COMMERCE

7

12.

At

all times material to this Complaint, Defendants have maintained

8 a substantial course

of

trade in or affecting commerce, as "commerce" is defined

9 in Section 4

ofthe

FTC Act,

15

U.S.C. § 44.

10

DEFENDANTS' BUSINESS ACTIVITIES

11

Defendants' Business

Structure

12

13.

Wyndham Worldwide

is

a hospitality business that, through its

13

subsidiaries, franchises and manages hotels and sells timeshares.

It

conducts its

14

business through three subsidiaries, including Hotel Group. At all times relevant

15

to this Complaint, Hotel Group's wholly-owned subsidiaries, Hotels and Resorts

16

and Hotel Management, licensed the Wyndham brand name to approximately

17

ninety independently-owned hotels under franchise or management agreements

18

(collectively hereinafter "Wyndham-branded hotels").

19

Defendants'

Network

Infrastructure

20

14.

Throughout the relevant time period, Wyndham Worldwide has been

21

responsible for creating information security policies for itself and its subsidiaries,

22

including Hotel Group and Hotels and Resorts, as well

as

providing oversight

of

- 6 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 7 of 22

1 their information security programs. From at least 2008 until approximately June

2 2009, Hotel Group had responsibility for managing Hotels and Resorts'

3 information security program. In June 2009, Wyndham Worldwide took over

4 management and responsibility for Hotels and Resorts' information security

5 program.

6

15.

Under their franchise and management agreements, Hotels and

7 Resorts and Hotel Management require each Wyndham-branded hotel to purchase,

8 and configure to their specifications, a designated computer system, known as a

9 property management system, that handles reservations, checks guests in and out,

10

assigns rooms, manages room inventory, and handles payment card transactions.

11

These property management systems store personal information about consumers,

12

including names, addresses, email addresses, telephone numbers, payment card

13

account numbers, expiration dates, and security codes (hereinafter "personal

14

information").

15

16.

The property management systems for all Wyndham-branded hotels,

16

including those managed by Hotel Management, are part

of

Hotels and Resorts'

17

computer network, and are linked to its corporate network, much

of

which

is

18

located in the Phoenix data center. Hotels and Resorts' corporate network

19

includes its central reservation system, which coordinates reservations across the

20 Wyndham brand.

21

17.

Each Wyndham-branded hotel's property management system

is

22

managed by Defendants. Only Defendants, and not the owners

of

the Wyndham-

- 7 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 8 of 22

1 branded hotels, have administrator access that allows Defendants to control the

2 property management systems at the hotels. Defendants set the rules, including all

3 password requirements, that allow the Wyndham-branded hotels' employees to

4 access their property management systems.

5 18. Defendants have even more direct control over the computer

6 networks

of

the Wyndham-branded hotels managed by Hotel Management. Hotel

7 Management controls the "operation"

of

those hotels pursuant to its management

8 agreements, including their information technology and security functions and the

9 hiring

of

employees to administer the hotels' computer networks.

10

19.

The owners

of

the Wyndham-branded hotels pay Defendants fees to

11

support their property management systems and to connect them to Hotels and

12

Resorts' computer network. Defendants' technical support team is responsible for

13

addressing and resolving any technical issues that a Wyndham-branded hotel has

14

with its property management system. As explained further below, Defendants'

15

information security failures led to the compromise

of

many

of

the Wyndham-

16 branded-hotels' property management system servers, resulting in the exposure

of

17

thousands

of

consumers' payment card accounts.

18

DEFENDANTS'

DECEPTIVE

STATEMENTS

19

20. Hotels and Resorts operates a website where consumers can make

20 reservations at any Wyndham-branded hotel.

In

addition, some Wyndham-

21

branded hotels operate their own individual websites, which describe the

22 individual hotel and its amenities. Customers making reservations from a

- 8 -

1 Wyndham-branded hotel's individual website are directed back to Hotels and

2 Resorts' website to make the reservation.

3 21. Since at least 2008, Defendants have disseminated, or caused to be

4 disseminated, privacy policies or statements on their website to their customers

5 and potential customers. These policies or statements include, but are not limited

6 to, the following statement regarding the privacy and confidentiality

of

personal

7 information, disseminated on the Hotels and Resorts' website:

8

...

We recognize the importance

of

protecting the privacy

of

individual-specific (personally identifiable) information

9 collected about guests, callers

to

our central reservation

centers, visitors to our Web sites, and members participating

10

in our Loyalty Programs (collectively 'Customers')

....

11

This policy applies to residents

of

the United States, hotels

of

our Brands located in the United States, and Loyalty

12

Program activities in the United States only

....

13

We safeguard our Customers' personally identifiable

information by using industry standard practices. Although

14

"guaranteed security" does not exist either on or

off

the

Internet, we make commercially reasonable efforts to make

15

our collection

of

such Information consistent with all

applicable laws and regulations. Currently, our Web sites

16

utilize a variety

of

different security measures designed to

protect personally identifiable information from

17

unauthorized access by users both inside and outside

of

our

company, including the use

of

128-bit encryption based on a

18

Class 3 Digital Certificate issued by Veri sign Inc. This

allows for utilization

of

Secure Sockets Layer, which

is

a

19

method for encrypting data. This protects confidential

information -such

as

credit card numbers, online forms, and

20 financial data -from loss, misuse, interception and hacking.

We take commercially reasonable efforts to create and

21

maintain "fire walls" and other appropriate safeguards to

ensure that to the extent we control the Information, the

22 Information is used only as authorized by

us

and consistent

-9-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 10 of 22

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

with

this Policy, and that the Information is not improperly

altered

or

destroyed.

22. There is a link to this privacy policy on each page

of

the Hotels and

Resorts' website, including its reservations page.

23. Although this statement is disseminated

on

the Hotels and Resorts'

website, it states that it is the privacy policy

of

Hotel Group.

DEFENDANTS' INADEQUATE DATA SECURITY PRACTICES

24. Since at least April 2008, Defendants failed to provide reasonable

and appropriate security for the personal information collected and maintained

by

Hotels and Resorts, Hotel Management, and the Wyndham-branded hotels,

by

engaging in a number

of

practices that, taken together, unreasonably and

unnecessarily exposed consumers' personal data

to

unauthorized access and theft.

Among other things, Defendants:

a.

failed to use readily available security measures to limit

access between and among the Wyndham-branded hotels'

property management systems, the Hotels and Resorts'

corporate network, and the Internet, such as by employing

firewalls;

b.

allowed software at the Wyndham-branded hotels to

be

configured inappropriately, resulting in the storage

of

payment card information in clear readable text;

c. failed to ensure the Wyndham-branded hotels implemented

-10

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 11 of 22

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

d.

e.

f.

adequate information security policies and procedures prior to

connecting their local computer networks to Hotels and

Resorts' computer network;

failed to remedy known security vulnerabilities

on

Wyndham-

branded hotels' servers that were connected to Hotels and

Resorts' computer network, thereby putting personal

information held

by

Defendants and the other Wyndham-

branded hotels at risk. For example, Defendants permitted

Wyndham-branded hotels to connect insecure servers to the

Hotels and Resorts' network, including servers using outdated

operating systems that could not receive security updates or

patches to address known security vulnerabilities;

allowed servers to connect to Hotels and Resorts' network,

despite the fact that well-known default user IDs and

passwords were enabled on the servers, which were easily

available to hackers through simple Internet searches;

failed to employ commonly-used methods to require user IDs

and passwords that are difficult for hackers to guess.

Defendants did not require the use

of

complex passwords for

access to the Wyndham-branded hotels' property

management systems and allowed the use

of

easily guessed

passwords. For example, to allow remote access to a hotel's

-

11-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 12 of 22

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

g.

h.

1.

J.

property management system, which was developed by

software developer Micros Systems, Inc., Defendants used

the phrase "micros" as both the user ID and the password;

failed to adequately inventory computers connected to the

Hotels and Resorts' network so that Defendants could

appropriately manage the devices

on

its network;

failed to employ reasonable measures to detect and prevent

unauthorized access to Defendants' computer network

or

to

conduct security investigations;

failed to follow proper incident response procedures,

including failing to monitor Hotels and Resorts' computer

network for malware used in a previous intrusion; and

failed to adequately restrict third-party vendors' access

to

Hotels and Resorts' network and the Wyndham-branded

hotels' property management systems, such as

by

restricting

16 connections to specified IP addresses

or

granting temporary,

17

limited access, as necessary.

18

INTRUSIONS

INTO

DEFENDANTS'

COMPUTER

NETWORK

19

25. As a result

of

the failures described above, between April 2008 and

20

January 2010, intruders were able to gain unauthorized access to Hotels and

21

Resorts' computer network, including the Wyndham-branded hotels' property

22 management systems, on three separate occasions. The intruders used similar

-12

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 13 of 22

1 techniques on each occasion to access personal information stored on the

2 Wyndham-branded hotels' property management system servers, including

3 customers' payment card account numbers, expiration dates, and security codes.

4 After discovering each

of

the first two breaches, Defendants failed

to

take

5 appropriate steps in a reasonable time frame to prevent the further compromise

of

6 the Hotels and Resorts' network.

7

m~B~~

8 26. In April 2008, intruders first gained access to a Phoenix, Arizona

9 Wyndham-branded hotel's local computer network that was connected to the

10 Internet. The hotel's local network was also connected to Hotels and Resorts'

11

network through the hotel's property management system. Using this access, in

12

May

2008, the intruders attempted to compromise an administrator account on the

13

Hotels and Resorts' network by guessing multiple user IDs and passwords -

14 known as a brute force attack.

15

27. This brute force attack caused multiple user account lockouts over

16 several days, including one instance in which 212 user accounts were locked out,

17 before the intruders were ultimately successful. Account lockouts occur when a

18

user inputs an incorrect password multiple times, and are a well-known warning

19 sign that a computer network is being attacked. Defendants did not have

an

20 adequate inventory

of

the Wyndham-branded hotels' computers connected to its

21

network, and, therefore, although they were able to determine that the account

22 lockouts were coming from two computers on Hotels and Resorts' network, they

-13

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 14 of 22

1 were unable to physically locate those computers. As a result, Defendants did not

2 determine that the Hotels and Resorts' network had been compromised until

3 almost four months later.

4 28. The intruders' brute force attack led to the compromise

of

an

5 administrator account on the Hotels and Resorts' network. Because Defendants

6 did not appropriately limit access between and among the Wyndham-branded

7 hotels' property management systems, the Hotels and Resorts' own corporate

8 network, and the Internet -such as through the use

of

frrewalls -once the

9 intruders had access to the administrator account, they were able to gain unfettered

10

access to the property management system servers

of

a number

of

hotels.

11

29. Additionally, the Phoenix hotel's property management system

12

server was using an operating system that its vendor had stopped supporting,

13

including providing security updates and patch distribution, more than three years

14

prior to the intrusion. Defendants were aware the hotel was using this unsupported

15

and insecure server, yet continued to allow it

to

connect to Hotels and Resorts'

16

computer network.

17

30. In this frrst breach, the intruders installed memory-scraping malware

18

on numerous Wyndham-branded hotels' property management system servers,

19

thereby accessing payment card data associated with the authorization

of

payment

20 card transactions that was present temporarily on the hotels' servers.

21

31. In addition, the intruders located files on some

of

the Wyndham-

22 branded hotels' property management system servers that contained payment card

-14

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 15 of 22

1 account infonnation for large numbers

of

consumers, stored in clear readable text.

2 These files were created and stored in clear text because Defendants had allowed

3 the property management systems to be configured inappropriately to create these

4 files and store the payment card infonnation that way.

5 32. As a result

of

Defendants' unreasonable data security practices,

6 intruders were able to gain unauthorized access to the Hotels and Resorts'

7 corporate network, and the property management system servers

of

forty-one

8 Wyndham-branded hotels -twelve managed by Hotel Management and twenty-

9 nine franchisees

of

Hotels and Resorts. This resulted in the compromise

of

more

10

than 500,000 payment card accounts, and the export

of

hundreds

of

thousands

of

11

consumers' payment card account numbers to a domain registered in Russia.

12

Second Breach

13

33.

In

March 2009, approximately six months after Defendants

14

discovered the first breach, intruders were able again to gain unauthorized access

15

to the Hotels and Resorts' network, this time through a service provider's

16

administrator account in the Phoenix data center.

17

34. In May 2009, Defendants learned that several Wyndham-branded

18

hotels had received complaints from consumers about fraudulent charges made to

19

their payment card accounts after using those cards to pay for stays at Wyndham-

20 branded hotels. At that point, Defendants searched Hotels and Resorts' network

21

for the memory-scraping malware used in the previous attack, and found it on the

22 property management system servers

of

more than thirty Wyndham-branded

-15 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 16 of 22

1 hotels. As a result

of

Defendants' failure to monitor Hotels and Resorts' network

2 for the malware used in the previous attack, hackers had unauthorized access to

3 the Hotels and Resorts' network for approximately two months.

4 35. In addition to again using memory-scraping malware to access

5 personal information, in this second breach the intruders reconfigured software at

6 the Wyndham-branded hotels to cause their property management systems to

7 create clear text files containing the payment card account numbers

of

guests using

8 their payment cards at the hotels.

9 36. Ultimately, the intruders exploited Defendants' data security

10 vulnerabilities to gain access to the Hotels and Resorts' network and the property

11

management system servers ofthirty-nine Wyndham-branded hotels -nine

of

12

which were managed by Hotel Management and thirty franchisees

of

Hotels and

13

Resorts. In this second incident, the intruders were able to access information for

14 more than 50,000 consumer payment card accounts and use that information to

15

make fraudulent charges on consumers' accounts.

16

Third Breach

17

37. In late 2009, intruders again compromised an administrator account

18

on Hotels and Resorts' network. Because Defendants had still not adequately

19

limited access between and among the Wyndham-branded hotels' property

20 management systems, Hotels and Resorts' corporate network, and the

Internet-

21

such as through the use

of

firewalls -once the intruders had access to this

22 administrator account they were able again to access multiple Wyndham-branded

-16 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 17 of 22

1 hotels' property management system servers. As in the previous attacks, the

2 intruders installed memory-scraping malware to access payment card account

3 information held at the Wyndham-branded hotels.

4 38. Again, Defendants did not detect this intrusion themselves, but

5 rather learned

of

the breach from a credit card issuer. The credit card issuer

6 contacted Defendants in January 2010, and indicated that the account numbers

of

7 credit cards it had issued were used fraudulently shortly after its customers used

8 their credit cards to pay for stays at Wyndham-branded hotels.

9 39. As a result

of

Defendants' security failures, in this instance,

10

intruders compromised Hotels and Resorts' corporate network and the property

11

management system servers

of

twenty-eight Wyndham-branded hotels -eight

12

managed

by

Hotel Management and twenty franchisees

of

Hotels and Resorts. As

13

a result

of

this third incident, the intruders were able

to

access information for

14

approximately 69,000 consumer payment card accounts and again make fraudulent

15

purchases on those accounts.

16

Total Impact

of

Breaches

17

40. Defendants' failure to implement reasonable and appropriate

18

security measures exposed consumers' personal information to unauthorized

19

access, collection, and use. Such exposure

of

consumers' personal information

20 has caused and is likely

to

cause substantial consumer injury, including financial

21

injury, to consumers and businesses. For example, Defendants' failure to

22 implement reasonable and appropriate security measures resulted in the three data

-17

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 18 of 22

1

2

3

4

5

6

7

8

9

10

11

breaches described above, the compromise

of

more

than

619,000

consumer

payment card account numbers, the exportation

of

many

of

those account

numbers

to a domain registered in Russia, fraudulent charges

on

many consumers'

accounts, and more

than

$10.6 million in fraud loss. Consumers and businesses

suffered financial injury, including,

but

not limited to, unreimbursed fraudulent

charges, increased costs,

and

lost access to funds

or

credit. Consumers

and

businesses also expended

time

and

money

resolving fraudulent charges

and

mitigating subsequent harm.

VIOLATIONS

OF

THE

FTC

ACT

41. Section 5(a)

of

the

FTC

Act,

15

U.S.C. § 45(a), prohibits

"unfair

or

deceptive acts

or

practices

in

or

affecting commerce."

12 42. Misrepresentations

or

deceptive omissions

of

material fact constitute

13

deceptive acts

or

practices prohibited

by

Section 5(a)

of

the

FTC

Act.

14 43. Acts

or

practices are unfair under Section 5

ofthe

FTC

Act

if

they

15

cause

or

are likely to cause substantial injury to consumers that consumers

cannot

16 reasonably avoid themselves and that is

not

outweighed

by

countervailing benefits

17 to consumers

or

competition.

15

U.S.C. § 45(n).

18

Count

I

19 Deception

20

44.

In

numerous instances through the means described in

Paragraph

21,

21

in connection with the advertising, marketing, promotion, offering for sale,

or

sale

22

of

hotel services, Defendants have represented, directly

or

indirectly, expressly

or

-18

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 19 of 22

1 by implication, that they had implemented reasonable and appropriate measures to

2 protect personal information against unauthorized access.

3 45. In truth and in fact, in numerous instances in which Defendants have

4 made the representations set forth in Paragraph

44

of

this Complaint, Defendants

5 did not implement reasonable and appropriate measures to protect personal

6 information against unauthorized access.

7 46. Therefore, Defendants' representations

as

set forth in Paragraph 44

8

of

this Complaint are false or misleading and constitute deceptive acts or practices

9 in violation

of

Section 5(a)

of

the FTC Act,

15

U.S.C. § 45(a).

10

Count II

11

Unfairness

12

47. In numerous instances Defendants have failed to employ reasonable

13

and appropriate measures to protect personal information against unauthorized

14

access.

15

48. Defendants' actions caused or are likely to cause substantial injury

16 to consumers that consumers cannot reasonably avoid themselves and that is not

17

outweighed by countervailing benefits to consumers or competition.

18

49. Therefore, Defendants' acts and practices as described in Paragraph

19 47 above constitute unfair acts or practices in violation

of

Section 5

of

the FTC

20 Act,

15

U.S.C.

§§

45(a) and 45(n).

21

22

-19

-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 20 of 22

1

2 50.

CONSUMER INJURY

Consumers

have

suffered

and

will continue to suffer substantial

3 ipjury as a result

of

Defendants'

violations

of

the

FTC

Act.

In

addition,

4 Defendants

have

been

unjustly enriched as a result

of

their unlawful

acts

or

5 practices.

Absent

injunctive

relief

by

this Court, Defendants are likely

to

continue

6 to injure consumers, reap

unjust

enrichment,

and

harm

the public interest.

7 THIS

COURT'S

POWER

TO

GRANT

RELIEF

8 51.

Section

13(b)

ofthe

FTC

Act,

15 U.S.C. § 53(b),

empowers

this

9

10

11

12

13

14

15

16

17

18

19

20

Court to

grant

injunctive

and

such

other

relief

as

the

Court

may

deem

appropriate

to

halt

and

redress violations

of

any

provision

of

law enforced

by

the

FTC.

The

Court,

in

the

exercise

of

its equitable jurisdiction,

may

award

ancillary relief,

including rescission

or

reformation

of

contracts, restitution,

the

refund

of

monies

paid,

and

the

disgorgement

of

ill-gotten monies, to

prevent

and

remedy

any

violation

of

any

provision

of

law

enforced

by

the

FTC.

PRA

YER

FOR

RELIEF

Wherefore,

Plaintiff

FTC,

pursuant

to

Section 13(b)

of

the

FTC

Act, 15

U.S.C. § 53(b),

and

the

Court's

own

equitable powers, requests

that

the

Court:

A.

Enter

a

permanent

injunction to

prevent

future violations

of

the

FTC

Act

by

Defendants;

B.

Award

such

relief

as the

Court

fmds necessary to redress injury to

21 consumers resulting

from

Defendants'

violations

of

the

FTC

Act, including

but

not

22 limited to, rescission

or

reformation

of

contracts, restitution, the

refund

of

monies

-

20-

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 21 of 22

1 paid, and the disgorgement

of

ill-gotten monies; and

2

C.

Award Plaintiff the costs

of

bringing this action, as well as such

3 other and additional relief as the Court may determine to be just and proper.

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

Dated: August 9, 2012

Respectfully submitted,

Willard K. Tom

General Counsel

Kristin Krause Cohen

Kevin

H.

Moriarty

Katherine

E.

McCarron

John A. Krebs

Andrea V. Arias

Federal Trade Commission

600 Pennsylvania Ave

N.W. Mail Stop NJ-8100

Washington, D.C. 20580

Facsimile: (202) 326-3062

E-mail: Ischiffede@ftc.gov

Telephone: (202) 326-3377

Attorneys for Plaintiff

Federal Trade Commission

-21 -

Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 22 of 22

1

2 CERTIFICATE OF SERVICE

3 I hereby certify that on August

9,2012,

I electronically transmitted the attached

document to the Clerk's Office using the CMlECF System for filing and

4 transmittal

of

a Notice

of

Electronic Filing to the following CMlECF registrants:

5 Eugene F. Assaf, Esq. eassaf@kirkland.com

K. Wynn Allen, Esq. winn.allen@kirkland.com

6 Douglas H. Meal, Esq. douglas.meal@ropesgray.com

Anne M. Chapman, Esq. achapman@omlaw.com

7 David B. Rosenbaum, Esq

..

drosenbaum@omlaw.com

Attorneys for Defendants, Wyndham Worldwide Corporation, et al.

8

sf Lisa W. Schifferle

9

10

11

12

13

14

15

16

17

18

19

20

21

22

-

22-

EXHIBIT A

Defendants’ Corporate Structure

Wyndham Worldwide Corporation

(Wyndham Worldwide)

Wyndham Hotel Group

(Hotel Group)

Wyndham Hotels and Resorts

(Hotels and Resorts)

Wyndham-

branded hotels

under franchise

agreements

Wyndham Hotel Management

(Hotel Management)

Wyndham-branded

hotels under

management

agreements

Case 2:12-cv-01365-PGR Document 28-1 Filed 08/09/12 Page 1 of 1