Popular travel-booking site Orbitz has likely been hacked, potentially exposing payment card information for people that bought plane tickets or booked hotel rooms over the course of two years.
The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted, along with other personal information, like names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses and gender.
The company said evidence suggests an attacker may have accessed information stored on a legacy e-commerce platform during two periods: 1 January through 22 June 2016 and 1 October to 22 December 2017.
"We determined on March 1, 2018, that there was evidence suggesting that an attacker may have accessed personal information stored on this consumer and business partner platform,” the Expedia-owned site said in a media statement. “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform. To date, we do not have direct evidence that this personal information was actually taken from the platform. We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners."
Mike Schuricht, vice president of product management at Bitglass, said that the issue may have arisen as an artifact of the acquisition integration. Expedia bought the company in September 2015.
“Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or nonproduction systems,” Schuricht said via email. “As is the case with most audits and postmortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”
Orbitz is offering customers a year of free credit monitoring; yet Nathan Wenzler, chief security strategist at San Francisco-based security consulting company AsTech, said that more is needed.
“Another day, another breach. And while the attackers show no signs of slowing down, companies really need to do more than just provide users a free year of credit monitoring services and consider their work done,” he said via email. “Legacy systems are common attack points, as they are often neglected, go without updates or patches and are commonly not monitored, which gives criminals an ideal avenue to gain access and steal whatever data may be resident there. In this case, it was nearly 900,000 credit card accounts. Credit monitoring may be a nice PR gesture, but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data, no matter where it lives.”