Hotel Online
News for the Hospitality Executive


Open Letter and FAQ Posted by Wyndham Hotels to Guests Who May
Have Had Their Credit Card Details Compromised Following
Intervention by a Hacker in late January, 2010

February, 2010

To our Wyndham Hotels and Resorts guests:

In late January, 2010, our company discovered that a sophisticated hacker penetrated the computer systems of one of the Wyndham Hotels and Resorts (WHR) data centers. By going through the centralized network connections, the hacker was then able to access and download information from several, but not all, of the WHR hotels and remove payment card information of a small percentage of our WHR customers. The incident did not affect any of the other branded hotels in the Wyndham Hotel Group system. We deeply regret that this incident occurred and are doing everything we can to notify our customers directly, to address and remedy the problem. 

In addition to ensuring that the hack was immediately terminated and disabled, we promptly retained a qualified investigator to assess the problem and ensure that we had isolated it, and then to help us implement the proper changes to strengthen and improve the security of our connections with each of our WHR branded properties. Further, the impacted properties are being separately investigated by a qualified PCI investigative firm to assess and improve the security at each hotel property in the system.

To ensure our customers' card numbers were protected, we provided each of the payment card companies (American Express, Visa, Mastercard and Discover) with the actual card numbers that were accessed so that these payment card companies could take such action as they deemed appropriate to monitor the use of the cards.

We also notified the Secret Service, as well as several states' attorneys general offices with information about the breach, and continue to work with law enforcement to assist in the investigations of this matter.

Because only payment card information was compromised, at this time, we cannot confirm the individuals whose card information may have been acquired. However, we will be contracting with a secure third party consumer reporting agency to match every active credit card in the United States with the consumer's name and address and we will personally provide notice to those individuals, as well as an offer for free credit monitoring for a period of time.

Potentially exposed through this breach are guest and/or cardholder names and card numbers, expiration dates and other data from the card's magnetic stripe. While unfortunately that information may be used for credit card fraud, at this time, no criminal identity theft related to the use of the consumer data has been identified. Importantly, we believe that it is unlikely that identity theft will occur because of the limited amount of information that was compromised. Birthdates, SSNs, addresses or other personally identifying information were not kept by the hotels and therefore not part of the compromise. Nevertheless, we recommend that you regularly monitor your card and bank statements and that you promptly report all suspicious activity to the financial institution that issued your card. 

What happened?
A hacker intruded on our systems and accessed customer information from a limited number of franchised and managed hotel properties. The hacker was able to move some information to an off-site URL before we discovered the intrusion.

When did it occur?
The data was moved off-site between late October, 2009 and January, 2010.

When did you know about it?
We discovered the event in late January, 2010.

How was it discovered?
We became aware that certain of our guests were concerned that their cards had been stolen and used fraudulently after staying at one of the WHR Hotels.

What action have you taken?
We immediately shut down the key impacted server and terminated all traffic to the offsite URL. We retained a Qualified PCI (Payment Card Industry) Assessment firm to perform a forensic investigation of the incident, which includes a review of certain Hotel property servers.

Who have you notified?
We notified the Secret Service, as well as the payment card companies. We also transferred all the potentially compromised card numbers to the payment card companies to enable them to be alert to unusual activity. We also notified the attorney generals of a number of different states as required.

What information was compromised?
Guest names and card numbers, expiration dates and other data from the card's magnetic stripe.

Where are the customers located?
The customers represent a cross-section of Wyndham's global customer base.

I stayed at a Wyndham Hotel. How will I know if I was affected?
Not all of the Wyndham Hotels were impacted, and those that were impacted were impacted for a limited period of time. If you believe that you may have been impacted, then CLICK HERE to complete a form providing information about your stay, and we will research the issue. If we determine that your card may have been compromised, we will provide you with personal notification and free credit monitoring services for a period of time.

Why has Wyndham not yet notified me personally?
Wyndham needs to complete its initial investigation and ensure that law enforcement authorities are aware of the incident. The full investigation is expected to take more than eight weeks, and it is not until it is concluded that we will understand the full extent of the information that may have been accessed. Moreover, the information that we believe may have been compromised does not include the addresses of the potentially affected individuals, so we will be working with a secure credit monitoring company to match the card numbers with the active US card holders and thereafter forward personal letters to those individuals. We expect this to occur by the end of March.

How do I activate a Fraud Alert?
You have the ability to have a fraud alert placed on your credit file at no charge. This alert lets creditors know of possible fraudulent activity within the report and requests that the creditor contact you prior to establishing any accounts in your name. This makes it more difficult for someone to get credit in your name, but it may also lead to a delay in the ability to obtain credit while the agency verifies your identity. There are two types of fraud alerts that you can place on your credit report to put your creditors on notice that you may be a victim of fraud: an “Initial Alert” and an “Extended Alert.” An Initial Alert stays on your credit report for 90 days. You may ask that an Initial Alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An Extended Alert stays on your credit report for seven years. In order to obtain the Extended Alert, you must provide proof to the credit reporting company (usually in the form of a police report) that you actually have been a victim of identity theft. You can place a fraud alert on your credit report by calling the toll-free fraud number of any of the three credit reporting agencies provided below. The credit reporting agency you select for placing a fraud alert typically notifies the other two agencies. Additional information may be obtained from

(800) 685-1111
P. O. Box 740241 
Atlanta, GA 30374-0241 
Experian Experian
(888) 397-3742
P. O. Box 9532
Allen, TX 75013 
TransUnion TransUnion
(800) 916-8800
P. O. Box 6790
Fullerton, CA 92834-6790

How do I place a Credit Freeze on my credit files?
In some U.S. states, you have the right to put a credit freeze (also known as a security freeze) on your credit file so that no new credit can be opened without the use of a PIN number that is issued when the freeze is initiated. A credit freeze is designed to prevent potential credit grantors from accessing a credit report without your consent. Therefore, using a credit freeze may interfere with or delay the ability to obtain credit. Since the instructions for how to establish a credit freeze differ from state to state, you should directly contact one of the three major consumer reporting agencies (Equifax, Experien, or Transunion) (numbers provided above) to find out more information. There may be fees for placing, lifting, and/or removing a credit freeze, which generally range from $5-20 per action. For more information on setting up this freeze, go to

If I believe my information has been abused as a result of the security breach, how do I report it?
If you believe you have been the victim of fraud due to the security issue, you should contact the financial institution or company with which the account is maintained. Also, you should report fraudulent activity to your local law enforcement authorities and file a police report. You may also learn additional information about preventing identity theft by going to

Wyndham prides itself on providing exceptional value for our guests. We deeply regret this incident occurred and we will work hard to restore your confidence in our brand.


Kirsten Hotchkiss
Senior Vice President
Enterprise Compliance and Employment Counsel
Wyndham Worldwide

Also See: AH&LA Leads to Ease Hotel Credit Card Compliance Burdens; Letter to Payment Card Industry Security Standards Council Outlines Important Changes to Help Safeguard Guest Data and Reduce Compliance Costs / June 2009

To search Hotel Online data base of News and Trends Go to Hotel.OnlineSearch
Home | Welcome| Hospitality News | Classifieds| One-on-One |
Viewpoint Forum | Industry Resources | Press Releases
Please contact Hotel.Onlinewith your comments and suggestions.