The government is going after a major hotel operator for failing to secure its guests' credit card information.
The Federal Trade Commission on Tuesday filed a lawsuit against Wyndham Worldwide, claiming flaws in its security system led to three data breaches in less than three years. Those breaches, in turn, led to the export of hundreds of thousands of card account data to a Russian-registered website, millions of dollars in losses and an indeterminate number of fraudulent charges on consumer cards, the FTC claims in its complaint.
In one incident in 2008, hackers got into the computer system of one of its Phoenix hotels and then gained access to the corporate system. More than 500,000 card accounts were compromised. Two more similar breaches followed in 2009 and led to more than 119,000 compromised card accounts.
For its part, the hotel company is contesting the suit as without merit and says it has since upgraded its security measures, according to a statement from Wyndham. It also said that it immediately alerted hotel customers who may have been affected by those past breaches and offered credit monitoring services to them.
"To date, we have not received any indication that any hotel customer experienced a financial loss as a result of these attacks," the company said in a statement.
For those whose credit card data were stolen, their financial liability is zero under federal law. Cardholders are only responsible for unauthorized charges, up to $50 only, if their actual card is stolen or lost and those charges are made before the card is reported missing. If you report the card missing before any unapproved charges, you have no liability. And if your card account information is taken, rather than your card, you have no liability. So says the Fair Credit Billing Act.
Here's another take-away from yet another data breach story: It's worth looking over your credit card statement. While your loss liability is practically zero, the loss of your financial identity is immeasurable.
A thief may not just get your credit card information from a security breach, but personal data too, such as a Social Security number or date of birth. That might be enough for him or her to impersonate you and apply for credit under your name.
So, it pays to check your statements closely and report any odd charges to your issuer immediately. You may also want to pull your credit reports -- you get free ones every 12 months from the bureaus -- to make sure no new accounts have been opened under your name without your permission.
If you find some, check out Bankrate's steps to deal with identity theft.
Have you had to deal with a security breach? If so, any lessons learned? Tell me your story.
Follow me on Twitter: @JannaHerron