| Recurring |
one_organization, multiple_organization |
(a) The software failure incident happened again at one_organization:
The software failure incident involving data breaches and security failures at Wyndham Worldwide occurred multiple times within the same organization. The FTC lawsuit mentioned three data breaches that took place in less than two years, with hackers gaining access to payment card account data and causing fraud losses exceeding $10.6 million [12608].
(b) The software failure incident happened again at multiple_organization:
The article mentions other companies that have experienced data breaches and security incidents, such as credit card processor Global Payments and social networking sites like LinkedIn, eHarmony, and Last.fm. These incidents involved the compromise of user data and passwords, indicating a broader trend of cybersecurity challenges across various organizations [12608]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to various contributing factors introduced during system development and maintenance. The FTC lawsuit against Wyndham Worldwide and its subsidiaries highlighted several security failures in the design and development of their systems. These failures included storing data in plain text, not using firewalls, neglecting to remedy known security vulnerabilities, failing to update and patch software, keeping default user IDs and passwords on servers, and not requiring strong user passwords [12608].
(b) The software failure incident related to the operation phase can be linked to factors introduced by the operation or misuse of the system. In the case of Wyndham, hackers were able to gain access to the network and compromise administrator accounts, leading to data breaches and theft of payment card account information. The hackers used malware to steal data and reconfigure software to create clear text files containing customer payment card account numbers. These operational failures allowed the hackers to access and exploit the system for fraudulent transactions [12608]. |
| Boundary (Internal/External) |
within_system |
(a) The software failure incident involving Wyndham Worldwide's data breaches can be categorized as within_system. The failure was primarily due to internal factors such as storing data in plain text, lack of firewalls, failure to remedy known security vulnerabilities, and not updating and patching software [12608]. These internal security weaknesses within the system contributed to the successful hacking attempts and data breaches. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident at Wyndham Worldwide was primarily due to non-human actions. The failure was a result of security failures such as storing data in plain text, lack of firewalls, failure to remedy known security vulnerabilities, not updating and patching software, not changing default user IDs and passwords on servers, and not requiring strong user passwords. These factors enabled hackers to access more than 600,000 payment card accounts in three data breaches [12608]. The hackers exported the payment card account data to an Internet domain address registered in Russia and used the stolen data to make fraudulent transactions, resulting in significant financial losses [12608].
(b) However, human actions also played a role in the software failure incident. The FTC lawsuit alleged that Wyndham's privacy policy misrepresented the security measures taken to protect customer information. The company failed to implement adequate security practices, which were deemed unfair and deceptive, violating the FTC Act [12608]. Additionally, the hackers gained access to Wyndham systems through a service provider's administrator account and compromised an administrator account in separate incidents, indicating vulnerabilities in human access control and security practices [12608]. |
| Dimension (Hardware/Software) |
hardware, software |
(a) The software failure incident related to hardware:
- The FTC lawsuit against Wyndham Worldwide and its subsidiaries highlighted security failures that enabled hackers to access payment card accounts. The hackers exported the payment card account data to an Internet domain address registered in Russia, indicating a breach that involved hardware systems [12608].
(b) The software failure incident related to software:
- The FTC lawsuit mentioned various security failures by Wyndham, including storing card data in plain text, not using firewalls, failing to remedy known security vulnerabilities, and not updating and patching software. These software-related issues contributed to the security breach [12608]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident in the article is malicious. The incident involved hackers gaining unauthorized access to Wyndham's systems through various means, including exploiting security vulnerabilities and using malware to steal payment card account data. The hackers then exported the stolen data to an Internet domain address registered in Russia and used it to make fraudulent transactions, resulting in significant financial losses. The Federal Trade Commission (FTC) filed a lawsuit against Wyndham Worldwide and its subsidiaries for allegedly storing data in plain text and failing to implement adequate security measures, which enabled the hackers to carry out their malicious activities [12608]. |
| Intent (Poor/Accidental Decisions) |
poor_decisions, accidental_decisions |
The software failure incident involving Wyndham Worldwide and the data breaches can be attributed to both poor decisions and accidental decisions.
(a) poor_decisions: The incident involved poor decisions such as storing data in plain text, failing to use firewalls, not remedying known security vulnerabilities, not updating and patching software, not changing default user IDs and passwords on servers, and not requiring strong user passwords [12608].
(b) accidental_decisions: The breaches also occurred due to accidental decisions or mistakes, such as hackers gaining access to Wyndham systems via a service provider's administrator account, compromising an administrator account, and using malware to steal data and reconfigure software to create clear text files containing payment card account numbers [12608]. |
| Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence is evident in the case of Wyndham Worldwide's data breaches. The U.S. Federal Trade Commission filed a lawsuit against Wyndham for allegedly storing data in plain text and other security failures that enabled hackers to access more than 600,000 payment card accounts in three data breaches in less than two years. The FTC suit alleges that Wyndham failed to use firewalls, remedy known security vulnerabilities, update and patch software, change default user IDs and passwords on servers, and require strong user passwords, indicating a lack of professional competence in implementing proper security measures [12608].
(b) The software failure incident related to accidental factors is seen in how hackers gained access to Wyndham systems via a service provider's administrator account in the Wyndham data center in Phoenix and had access to the network for about two months. The hackers used malware to steal data and reconfigured software to cause the hotel computer systems to create clear text files containing the payment card account numbers of customers, indicating accidental vulnerabilities that were exploited by the hackers [12608]. |
| Duration |
temporary |
The software failure incident at Wyndham Worldwide involving data breaches and security failures was temporary. The incident occurred over a period of less than two years, with three separate data breaches reported in the article [12608]. The breaches were identified and addressed individually, indicating that the failure was not permanent but rather due to contributing factors introduced by certain circumstances such as hacking incidents and security vulnerabilities. |
| Behaviour |
crash, omission, value, other |
(a) crash: The software failure incident in the article can be attributed to a crash as the hackers were able to compromise Wyndham's systems and cause the hotel computer systems to create clear text files containing payment card account numbers of customers, resulting in fraud losses of more than $10.6 million [12608].
(b) omission: The software failure incident can also be linked to omission as the FTC lawsuit alleges that Wyndham failed to use firewalls, remedy known security vulnerabilities, update and patch software, change default user IDs and passwords on servers, and require strong user passwords, which led to the security breaches and unauthorized access to payment card account data [12608].
(c) timing: There is no specific mention of the software failure incident being related to timing issues in the articles.
(d) value: The software failure incident can be associated with a value failure as the hackers were able to access and misuse payment card account data, resulting in fraud losses of more than $10.6 million [12608].
(e) byzantine: The software failure incident does not exhibit characteristics of a byzantine failure as described in the articles.
(f) other: The software failure incident can be categorized under the "other" behavior as it involved a combination of system crashes, omissions in security measures, and incorrect performance leading to unauthorized access and misuse of sensitive customer data [12608]. |