Orbitz: Hackers likely stole credit card details of nearly 900K Orbitz users

Orbitz, which is owned by Expedia, said its legacy platform may have been hacked and the personal information of customers who made purchases online between Jan 1, 2016 and Dec 22, 2017 may have been exposed. Hackers likely gained access to 880,000 payment cards as well as accessed the following personal information: full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender.

Orbitz announced the “data security incident” on March 20, saying:

While conducting an investigation of a legacy Orbitz travel booking platform (the “platform”), Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers). Orbitz immediately began investigating the incident and made every effort to remediate the issue, including taking swift action to eliminate and prevent unauthorized access to the platform.

Orbitz claims to have immediately brought in third-party forensic investigators after determining there was “likely unauthorized access.”

“Orbitz is not alone in its lack of visibility into some systems,” said Mike Schuricht, VP of product management at Bitglass. Schuricht added:

Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.

The travel booking company stressed that its Orbitz.com site was not involved in the breach and also believes passport and travel itinerary information was not accessed.

Of course, Orbitz said it was sorry and that “ensuring the safety and security of the personal data of our customers and our partners’ customers is very important” to company. It is working to contact customers and partners who may have been impacted by the breach and is offering a year of complimentary credit monitoring and identity protection services.

But according to Nathan Wenzler, chief security strategist at San Francisco-based AsTech, “Companies really need to do more than just provide users a free year of credit monitoring services and consider their work done.”

Wenzler added:

Legacy systems are common attack points, as they are often neglected, go without updates or patches and are commonly not monitored, which gives criminals an ideal avenue to gain access and steal whatever data may be resident there. In this case, it was nearly 900,000 credit card accounts. Credit monitoring may be a nice PR gesture, but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data, no matter where it lives.