February, 2010
To our Wyndham Hotels and Resorts guests:
In late January, 2010, our company discovered that a sophisticated hacker
penetrated the computer systems of one of the Wyndham Hotels and Resorts
(WHR) data centers. By going through the centralized network connections,
the hacker was then able to access and download information from several,
but not all, of the WHR hotels and remove payment card information of a
small percentage of our WHR customers. The incident did not affect any
of the other branded hotels in the Wyndham Hotel Group system. We deeply
regret that this incident occurred and are doing everything we can to notify
our customers directly, to address and remedy the problem.
In addition to ensuring that the hack was immediately terminated and
disabled, we promptly retained a qualified investigator to assess the problem
and ensure that we had isolated it, and then to help us implement the proper
changes to strengthen and improve the security of our connections with
each of our WHR branded properties. Further, the impacted properties are
being separately investigated by a qualified PCI investigative firm to
assess and improve the security at each hotel property in the system.
To ensure our customers' card numbers were protected, we provided each
of the payment card companies (American Express, Visa, Mastercard and Discover)
with the actual card numbers that were accessed so that these payment card
companies could take such action as they deemed appropriate to monitor
the use of the cards.
We also notified the Secret Service, as well as several states' attorneys
general offices with information about the breach, and continue to work
with law enforcement to assist in the investigations of this matter.
Because only payment card information was compromised, at this time,
we cannot confirm the individuals whose card information may have been
acquired. However, we will be contracting with a secure third party consumer
reporting agency to match every active credit card in the United States
with the consumer's name and address and we will personally provide notice
to those individuals, as well as an offer for free credit monitoring for
a period of time.
Potentially exposed through this breach are guest and/or cardholder
names and card numbers, expiration dates and other data from the card's
magnetic stripe. While unfortunately that information may be used for credit
card fraud, at this time, no criminal identity theft related to the use
of the consumer data has been identified. Importantly, we believe that
it is unlikely that identity theft will occur because of the limited amount
of information that was compromised. Birthdates, SSNs, addresses or other
personally identifying information were not kept by the hotels and therefore
not part of the compromise. Nevertheless, we recommend that you regularly
monitor your card and bank statements and that you promptly report all
suspicious activity to the financial institution that issued your card.
What happened?
A hacker intruded on our systems and accessed customer information
from a limited number of franchised and managed hotel properties. The hacker
was able to move some information to an off-site URL before we discovered
the intrusion.
When did it occur?
The data was moved off-site between late October, 2009 and January,
2010.
When did you know about it?
We discovered the event in late January, 2010.
How was it discovered?
We became aware that certain of our guests were concerned that their
cards had been stolen and used fraudulently after staying at one of the
WHR Hotels.
What action have you taken?
We immediately shut down the key impacted server and terminated all
traffic to the offsite URL. We retained a Qualified PCI (Payment Card Industry)
Assessment firm to perform a forensic investigation of the incident, which
includes a review of certain Hotel property servers.
Who have you notified?
We notified the Secret Service, as well as the payment card companies.
We also transferred all the potentially compromised card numbers to the
payment card companies to enable them to be alert to unusual activity.
We also notified the attorney generals of a number of different states
as required.
What information was compromised?
Guest names and card numbers, expiration dates and other data from
the card's magnetic stripe.
Where are the customers located?
The customers represent a cross-section of Wyndham's global customer
base.
I stayed at a Wyndham Hotel. How will I know if I was affected?
Not all of the Wyndham Hotels were impacted, and those that were impacted
were impacted for a limited period of time. If you believe that you may
have been impacted, then CLICK
HERE to complete a form providing information about your stay, and
we will research the issue. If we determine that your card may have been
compromised, we will provide you with personal notification and free credit
monitoring services for a period of time.
Why has Wyndham not yet notified me personally?
Wyndham needs to complete its initial investigation and ensure that
law enforcement authorities are aware of the incident. The full investigation
is expected to take more than eight weeks, and it is not until it is concluded
that we will understand the full extent of the information that may have
been accessed. Moreover, the information that we believe may have been
compromised does not include the addresses of the potentially affected
individuals, so we will be working with a secure credit monitoring company
to match the card numbers with the active US card holders and thereafter
forward personal letters to those individuals. We expect this to occur
by the end of March.
How do I activate a Fraud Alert?
You have the ability to have a fraud alert placed on your credit file
at no charge. This alert lets creditors know of possible fraudulent activity
within the report and requests that the creditor contact you prior to establishing
any accounts in your name. This makes it more difficult for someone to
get credit in your name, but it may also lead to a delay in the ability
to obtain credit while the agency verifies your identity. There are two
types of fraud alerts that you can place on your credit report to put your
creditors on notice that you may be a victim of fraud: an �Initial Alert�
and an �Extended Alert.� An Initial Alert stays on your credit report for
90 days. You may ask that an Initial Alert be placed on your credit report
if you suspect you have been, or are about to be, a victim of identity
theft. An Extended Alert stays on your credit report for seven years. In
order to obtain the Extended Alert, you must provide proof to the credit
reporting company (usually in the form of a police report) that you actually
have been a victim of identity theft. You can place a fraud alert on
your credit report by calling the toll-free fraud number of any of the
three credit reporting agencies provided below. The credit reporting
agency you select for placing a fraud alert typically notifies the other
two agencies. Additional information may be obtained from www.annualcreditreport.com.
Equifax
(800) 685-1111
www.equifax.com
P. O. Box 740241
Atlanta, GA 30374-0241 |
Experian Experian
(888) 397-3742
www.experian.com
P. O. Box 9532
Allen, TX 75013 |
TransUnion TransUnion
(800) 916-8800
www.transunion.com
P. O. Box 6790
Fullerton, CA 92834-6790 |
How do I place a Credit Freeze on my credit files?
In some U.S. states, you have the right to put a credit freeze (also
known as a security freeze) on your credit file so that no new credit can
be opened without the use of a PIN number that is issued when the freeze
is initiated. A credit freeze is designed to prevent potential credit grantors
from accessing a credit report without your consent. Therefore, using a
credit freeze may interfere with or delay the ability to obtain credit.
Since the instructions for how to establish a credit freeze differ from
state to state, you should directly contact one of the three major consumer
reporting agencies (Equifax, Experien, or Transunion) (numbers provided
above) to find out more information. There may be fees for placing, lifting,
and/or removing a credit freeze, which generally range from $5-20 per action.
For more information on setting up this freeze, go to www.ftc.gov.
If I believe my information has been abused as a result of the security
breach, how do I report it?
If you believe you have been the victim of fraud due to the security
issue, you should contact the financial institution or company with which
the account is maintained. Also, you should report fraudulent activity
to your local law enforcement authorities and file a police report. You
may also learn additional information about preventing identity theft by
going to www.ftc.gov. |
Wyndham prides itself on providing exceptional value for our guests.
We deeply regret this incident occurred and we will work hard to restore
your confidence in our brand.
Sincerely,
Kirsten Hotchkiss
Senior Vice President
Enterprise Compliance and Employment Counsel
Wyndham Worldwide |