Orbitz Breach Exposes Customer Data, 880,000 Payment Cards
The breach, which occurred last fall, also leaked customer names, dates of birth, phone numbers, and email addresses.
Popular travel fare aggregator website Orbitz said this week that it was making strides to notify some of its customers and business partners of a data breach that impacted its service last year.
The website, which is headquartered in Chicago, said Tuesday morning that customers’ full names, payment card information, dates of birth, phone numbers, email addresses, physical and billing addresses, and genders may have been leaked as part of the incident.
The site, which is owned by Orbitz Worldwide, Inc., an Expedia Inc. subsidiary, said in a statement provided to reporters that approximately 880,000 payment cards were impacted as part of the incident.
The company discovered the breach earlier this month while conducting an investigation of a legacy booking platform.
The breach apparently occurred between October 1 and December 22 when an attacker accessed data that was submitted for purchases made by customers for roughly six months - between January 1, 2016 and June 22 – that year and nearly two years - between January 1, 2016 and December 22, 2017 - for partners' customers.
Neither customers' Social Security numbers, passport or travel itinerary information was spilled as part of the breach, the company stresses.
While it operates a stand alone website, Orbitz's platform also serves as a booking engine for travel websites like Amextravel.com and travel booked through Amex Travel Representatives.
American Express, for its part, issued a statement on Tuesday reiterating its systems were not implicated as part of the attack but that it would alert its cardmembers if any of their accounts are ultimately impacted.
Orbitz downplayed the breach on Tuesday by insisting it has no evidence the attackers actually exfiltrated personal information from the platform, adding that Social Security numbers weren’t included in the incident, as they’re not collected or held on the platform.
The company declined to specify exactly how a malicious actor infiltrated the platform, instead it only said the company brought on a third party forensic firm to investigate the incident before eliminating unauthorized access to the platform.
Travel sites are no stranger to data breaches. Viator, a tour and travel booking site that's part of TripAdvisor, notified 1.4 million customers their information may have been compromised in 2014. The company was informed by its payment card service provider when unauthorized charges began popping up on customers' credit cards. 880,000 Viator customers - coincidentally the same number of customers affected by the Orbitz breach - had their payment card information, including encrypted credit or debit card numbers, card expiration dates, names, billing addresses, and email addresses compromised. 560,000 additional customers had their account information, like their encrypted password and nickname, exposed.
Travelocity, another subsidiary of Expedia was forced to apologize back in 2001 after personal information belonging to 45,000 of its customers, including names, addresses, phone numbers and e-mail addresses, was left on a server accessible to anyone.