Skip to content ↓ | Skip to navigation ↓

Online travel services firm Orbitz has revealed that it has suffered a “data security incident” which may have compromised the sensitive information of hundreds of thousands of customers.

According to Orbitz, which was acquired by Expedia in two years ago, hackers were able to infiltrate a legacy version of the company’s travel booking platform between October 1, 2017 and December 22, 2017. The unauthorised intruders may have accessed the personal data of approximately 880,000 customers, including the following information:

  • customers’ payment card details
  • customers’ full names
  • customers’ dates of birth
  • customers’ gender
  • customers’ email addresses
  • customers’ physical addresses
  • customers’ billing addresses
  • customers’ phone numbers

The data is said to be related to purchases made in the first six months of 2016 for Orbitz platform customers, and between January 1 2016 and December 22 2017 for “certain partners’ customers.”

This exposure for almost two years of the customers of Orbitz’s business partners is an important point.

It’s very possible that your company, for instance, books your travel through a service like Amex Global Business Travel, and as a consequence may not realise that Amex was relying upon Orbitz’s services.

It may be trued that American Express’s systems were not compromised by a hacker, and that it was a third party – Orbitz – that was targeted, but American Express’s brand still ends up tarnished in the eyes of affected customers.

It’s no wonder more and more companies are waking up to the importance of thoroughly vetting the security measures their business partners have in place to protect data.

The very real risk is that identity thieves and online criminals may attempt to exploit the information extracted from Orbitz to defraud unsuspecting individuals. Scams may arrive via email, in bogus phone calls, or even via post. As a consequence it’s a good idea to keep a close eye on your finances, query unusual transactions, and be wary of unsolicited communications.

There is some good news, however.

Orbitz is at pains to point out that it had found no evidence that other types of personal information, including passport and travel itineraries, were exposed. Additionally, as social security numbers are not requested or held by the firm – there’s no danger that they have been exposed by this breach.

Furthermore, in an apparent attempt to reassure existing and future customers, Orbitz underlines that the attack was on a legacy system, and that the current website is “not in any way involved.” Of course, that is little consolation to those travellers who have already had their personal information exposed.

Orbitz says that it confirmed at the beginning of March that a security breach had occurred, and has called in a security firm to help with the ongoing investigation.

On a website set up to assist affected customers, Orbitz says it is offering affected customers one year’s worth of complimentary credit monitoring and identity protection.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.