Orbitz: Data breach affects 880,000 payment cards

Orbitz announced that information such as names, phone numbers, email and billing addresses may have been accessed, but Orbitz.com was not impacted. Photo credit: Orbitz

Orbitz disclosed earlier this week a security breach that may have exposed the data of thousands of customers, including information on 880,000 payment cards. The breach was discovered March 1.

The Expedia-owned travel website operator said the breach affected an older website and the platform of an unnamed business partner. The hackers “likely accessed” people’s names, dates of birth, email addresses, street addresses and genders, Orbitz said.

The breach, which took place between October and December 2017 and involved records dating between Jan. 1, 2016 and Dec. 22, 2017, did not affect its current website, Orbitz.com, nor did it involve any Social Security numbers, Orbitz said. The company said it “has not found any evidence” that other customer information was affected, like travel itineraries or passports. However, Orbitz said that it doesn't have direct evidence that any of this information was actually stolen.

Mediterranean Resort & Hotel Real Estate Forum

Experience the Opportunities in Mediterranean Resort Investment | 17–19 October 2018

Join 300 of your industry peers at the 4th annual MR&H in Athens, Greece, to experience exclusive investment and development opportunities available in the Mediterranean.

Expedia stressed that its own Expedia platform was not impacted. Expedia acquired Orbitz in September 2015, four months before the earliest affected records. Orbitz has not shared details regarding how the breach occurred.

“This attack seems to have been pulled off through the exploitation of legacy platforms and third-party vendors,” said Alex Heid, white hat hacker and chief research officer at SecurityScorecard, in a statement. “There has been a slowdown in breaches of this size that have been disclosed within the last few months. However, this indicates that data breaches are indeed happening constantly in 2018 and this year is likely to see more through the same attack vectors—legacy systems and third-party vendors.”

There have been a huge string of acknowledged breaches in the past several years: Kimpton HotelsHEI Hotels and ResortsMillennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice)Golden Nugget hotelsMandarin OrientalOmni Hotels, Two Roads Hospitality and White Lodging all have been victims of data breaches.

In addition, Sabre Corporation disclosed a breach of its hospitality solutions SynXis central-reservations system that may have exposed consumers' payment card data and personally identifiable information. Four SeasonsTrump HotelsHard Rock Hotels & Casinos, and Loews Hotels all announced that they were affected by the SynXis breach.

Token CEO Zohar Steinberg said companies do not do enough to protect personal information. “It is frustrating that we, as consumers, trust businesses with our information but keep paying the price when they get breached,” he said. “Data breaches are becoming too frequent and consumers are losing faith in the system, and according to Paysafe Research, 55 percent of consumers think that fraud is an inevitable part of shopping online.

"We as consumers can take matters into our own hands and use payment security services that secure our information because the best way to protect our information, is to not share it in the first place. Today, cardholders and consumers can use new services that leverage tokenization, virtual cards, two-factor authentication and more for free.”

Orbitz said that it is notifying those that might have been impacted by the breach and is offering a year of complimentary credit monitoring and identity protection services via this website.

“We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said in a statement. “As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform.”