Travel site Orbitz suffers data breach affecting 880,000 credit cards

21 Mar 2018

Orbitz website. Image: chrisdorney/Shutterstock

Credit card data and personal information leaks in Orbitz data breach.

Online travel agency Orbitz yesterday (20 March) disclosed that bad actors may have gotten their hands on both credit card data and personal information from users who made purchases on the site between 1 January 2016 and 22 June 2016.

According to the company, hackers could have accessed approximately 880,000 payment cards from a “legacy Orbitz site”.

As well as the data submitted to the legacy site, Orbitz partner platform data submitted between 1 January 2016 and 22 December 2017 may have also been breached.

Breach affecting hundreds of thousands

The breach was first discovered by the company on 1 March. While crucial social security numbers, passport and travel information don’t appear to have been accessed, names, payment card details, email addresses, billing addresses and phone numbers could have been seized by hackers.

Orbitz, which is owned by travel giant Expedia, has not yet obtained direct evidence that the information has been stolen, but travel sites are a prime target for hackers as they are treasure troves of information with rich seams of data to mine and potentially exploit.

The company said: “Ensuring the safety and security of the personal data of our customers and our partners’ customers is very important to us.

“We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners.”

The firm is notifying consumers that may have been breached and is also offering them a year of complimentary credit monitoring and identity protection services.

Orbitz added that it “took immediate steps to investigate the incident and enhance security and monitoring of the affected platform”.

It also said it brought in a panel of people to ensure the platform was rendered inaccessible. “As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement, and took swift action to eliminate and prevent unauthorised access to the platform.”

A poor consolation for customers

Ken Spinner, vice-president of global field engineering at cybersecurity firm Varonis, told Siliconrepublic.com that the remedy offered by Orbitz and companies such as Equifax was a “a crummy consolation prize –typically a year’s worth of free credit monitoring and an emailed apology”.

Spinner added: “It’s entirely inadequate for exposing valuable consumer and payment data for, in this case, close to two years.”

Alex Heid, chief research officer at SecurityScorecard, noted that despite the slowdown in the disclosure of large data breaches, the Orbitz incident “indicates that data breaches are indeed happening constantly in 2018, and this year is likely to see more through the same attack vectors –  legacy systems and third-party vendors”.

Orbitz website. Image: chrisdorney/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com