Expedia's Orbitz Suspects 880,000 Payment Cards StolenHacker May Have Also Obtained Other Customer Data in Breach, Orbitz Warns
Travel fare aggregation site Orbitz on Tuesday warned that a hacker may have stolen customers' personal information and payment card details over a two-year period.
Chicago-based Orbitz, a subsidiary of Bellevue, Washington-based Expedia, says that on March 1, it discovered the suspected breach in a legacy system, noting that it may have exposed customer data that it collected between Jan. 1, 2016, and Dec. 22, 2017.
The breach itself may have taken place from Oct. 1, 2017, to Dec. 22, 2017, Orbitz says, resulting in the theft of details on 880,000 payment cards. In addition, a hacker may have accessed data tied to purchases, including customers' names, birth dates, phone numbers, email addresses, mailing addresses as well as gender, Orbitz says.
Orbitz says the breached system is not part of its current website.
The company says it's working with an unnamed, digital forensic investigation firm to investigate the breach, and that it's notified law enforcement agencies. It also plans to offer breach victims one year of prepaid services to help monitor for fraud and other types of identity theft that may result from the suspected breach.
"We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners," the company says in a statement.
Orbitz confirmed to Information Security Media Group that the suspected breach does not only involve data for U.S. consumers. "I can confirm the incident has a global impact," a representative says.
From Expedia Competitor, to Subsidary
Orbitz was founded in 2001 by major airlines as a travel search engine and fare aggregation site to compete with Expedia, Travelocity and others.
After a succession of owners, Orbitz was purchased in September 2015 by Expedia for $1.2 billion in cash as part of a move to better compete with Priceline.
Expedia first announced the acquisition in February 2015, shortly after it said it would be acquiring Travelocity for $280 million.
No 'Direct Evidence' of Data Theft
In its Tuesday statement, Orbitz says it has no "direct evidence" that payment card details and customer information was stolen.
But information security expert Brian Honan says such statements may belie an organization failing to have put in place the right tools, audit and security logs, as well skilled expertise, that would have allowed it to make a definitive data breach damage assessment (see E*Trade, Dow Jones: 7 Breach Lessons).
Furthermore, many breached businesses only belatedly discover they were hacked, often after payment card issuers trace fraud to payment cards used at a particular organization.
Legacy Systems Live On
If Orbitz was hacked, however, Expedia would be the latest firm to fall victim to a breach after acquiring a company and its IT infrastructure.
In October 2015, London-based telecommunications giant TalkTalk suffered a breach that resulted in the exposure of almost 157,000 TalkTalk customers' personal details, plus bank accounts and sort codes for more than 15,000 customers.
An investigation conducted by Britain's privacy watchdog, the Information Commissioner's Office, found that TalkTalk was hacked via SQL injection attacks against a database that was created by Italian telecommunications firm Tiscali (see TalkTalk Hack: Two Men Plead Guilty).
TalkTalk acquired Tiscali's U.K. operations in 2009, but the ICO found that the company failed to properly catalog and manage the related infrastructure. Notably, the MySQL open source SQL database management system that was hacked in 2015 hadn't yet been updated with a critical MySQL patch that was released in 2012.