The Wyndham chain of hotels includes Ramada, Days Inn, Super8, Howard Johnson and Travelodge. None of which I have stayed at in the last year, and frankly, I am really glad.
Not one, not two but three breaches have been disclosed to the public by Wyndham management in the last year. Because they have not disclosed which chain, or even which hotel, I can honestly say I now would not stay at any of them.
They also would not say how many customers were affected (because they probably don’t know).
A lot of companies provide very poor disclosure for a number of reasons (including ongoing investigations, legal limits and events still occurring). Unfortunately, lots of other companies are poor disclosers simply because they don’t want to expose poor (in this case, extremely poor) management practices.
Gib Sorebo, a senior information security analyst for San Diego-based Science Applications International Corp. (SAIC), said “It’s important for the company’s legal counsel and communications team to work together on the proper wording of a notification letter, because one that’s short on details and steeped in legalese can cause further frustration among customers and business partners — opening the door to nasty rumors on what may have happened. ”
Clearly Wyndham is up to speed on that part.
A good disclosure emphasizes clearly what information has been affected, what steps are being taken to detect criminal activity and keep further breaches from happening, and what affected customers can do to ensure they don’t become victims of fraud.
A good incident response team can also make the difference in finding out the exact details so that the legal and communications teams have real information to work with, in order to decide on what responsibly can be disclosed. The emphasis here should be on “responsibly,” if they want to retain their customer base.
It seems that Wyndham is in the unenviable position of being a really good example of a bad example.
Rule of Thumb: Lose customer data, customers go elsewhere.