The office of Pennsylvania attorney general Josh Shapiro has reached a settlement with travel websites Orbitz and Expedia following an investigation into a 2018 data breach.
The cybersecurity incident, disclosed by Orbitz in March 2018, may have exposed the personal data of 20,755 Pennsylvanian customers.
An investigation into the breach, carried out by Shapiro's office and led by Deputy Attorney General Timothy Murphy, found that a threat actor had used malware to target up to 880,000 payment cards around the world by compromising Orbitz's online travel booking portal.
Orbitz was notified by a business partner in 2017 that the travel rewards redemption portal hosted by the Orbitz Legacy Platform may have been a possible common point of purchase in connection with fraudulent payment card transactions.
The Assurance of Voluntary Compliance, filed in Philadelphia County, alleges Orbitz violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by making misrepresentations in its customer-facing privacy policy about the safeguarding of customers' personal information.
It further alleges that Orbitz failed to fully implement Expedia’s company policies related to data security and neglected to have in place multiple Payment Card Industry Data Security Standards at the time of the breach.
Under the terms of the settlement, Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty. Expedia acquired Orbitz and its assets in September 2015.
Josh Shapiro said: "Just like that, someone broke into Orbitz’s IT system and vacationed in what was supposed to be a safe place for travelers. The breach showed the company’s promise to keep customer information secure was more like a leaky boat.
"We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself."
Expedia and Orbitz have agreed to strengthen their security practices going forward by implementing a comprehensive information security program on the Orbitz website, conducting an annual comprehensive risk assessment, and developing a plan and program for designing, implementing, and operating safeguards.
The companies have also agreed to perform regular security monitoring, logging, and testing; improve access control and account management tools; reorganize and segment its network; and comply with Payment Card Industry Data Security Standards.