Expedia subsidiary Orbitz has revealed that a legacy Orbitz travel booking platform had been compromised and personal user information and payment card data might have been accessed by unauthorized parties.
The security incident was discovered on March 1, 2018, and apparently an attacker “may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers).”
The potentially compromised information includes customers’ full name, date of birth, phone number, email address, physical and/or billing address, and gender, as well as information tied to about 880,000 payment cards.
The company has made sure to note that passport and travel itinerary information was not accessed, and that the current Orbitz.com website was not involved in this incident.
A statement released by American Express offers a bit more clarification:
“The attack involved an Orbitz platform which serves as the underlying booking engine for many online travel websites, including Amextravel.com and travel booked through Amex Travel Representatives. This was not an attack on, and did not compromise, American Express Global Business Travel or the American Express platforms that Card Members use to manage their American Express Card accounts.”
They added that they will be monitoring its Card Member accounts for unusual activity and will be elevating fraud monitoring for those accounts that might have been impacted by the Orbitz attack. Also, that they will be reaching out to its impacted travel customers to provide additional information and two years of complimentary credit monitoring and identity protection services.
Orbitz has notified law enforcement agencies and potentially impacted customers and business partners of the attack, and are offering affected customers one year of complimentary credit monitoring and identity protection service in countries where available.
“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems,” commented Mike Schuricht, VP Product Management, Bitglass.
“As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”