The US Federal Trade Commission has sued Wyndham Worldwide and three of its subsidiaries for poor data security, it was announced in late June. To be clear this is a lawsuit and it is not a statement of guilt. As of this writing Wyndham has not agreed to any of the items in the suit. That said, the allegations are pretty serious. I am commenting here on the information in the suit and I have no personal knowledge of what Wyndham did or did not do, so I cannot comment on that.
For me, two allegations sound serious: they didn’t use firewalls (at least in some instances), and, more interestingly they “allowed software at the Wyndham-branded hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text.” [Insert loud scream here.]
We will talk about firewalls another time. I want to address two aspects of the allegation that Wyndham stored credit card information in “clear readable text” (unencrypted). First is the actual unencrypted storage of the card numbers. This is a big problem because, as the suit alleges, bad guys could access the data and steal it. The deeper issue is that nobody caught it. Were there no audit procedures in place? Didn’t programmers raise alarm that they were accessing the card info without having to specify a password or key? How did such a design get past a design team? To be fair maybe there was an audit, maybe the programmers did complain and encryption was in the design. I don’t know. But I do know that anyone storing card info out there needs to consider this. The Payment Card Industry (PCI) has standards for storing card information and that’s what makes this odd, indeed.
The second aspect is the “configured inappropriately” part. Even if the proper tools are in place, a human has do to do the configuration and humans make mistakes. Period. That means that double and triple-checking procedures (auditing) need to be in place when sensitive information is involved. My wife cringes every time we park the car while we are out shopping and I ask “did you lock it”? That’s what the annoying honk after pressing the lock button a second time is for.
When I write or design software, I don’t like having to remember what data is encrypted and what isn’t. I don’t like to specify passwords, keys or certificates unless it is absolutely necessary. One solution is to encrypt a whole database or whole disk. There are multiple solutions depending on the applications, how they will be used and so forth. I can’t presume to know or guess what the right solution in Whyndam’s case is or was. The point is that sensitive data needs to be strongly encrypted. We make this point in Learning Tree’s System and Network Security Course.
I should add that encryption is not a be-all-and-end-all for security. It merely makes hacking more difficult. A persistent hacker is still a big threat, but secured information makes an organization less of a target for the “average” bad guy.
I’d like to hear from programmers and database designers about what you like to do in the way of encryption (and don’t say “Nothing”!). Post a comment below and share, please.