Orbitz.com, a Chicago, Illinois based popular travel website owned by Expedia Inc. has suffered a massive data breach in which personal and financial details of over 800,000 registered customers may have been stolen by unknown hackers.
In a statement to media, the company said that the breach was identified on March 1st, 2018 after an in-depth investigation conducted by Orbitz. The breach took place between 1st October 2017 to December 2017 when hackers accessed a legacy travel booking platform and stole two years worth of data from January 2016 and December 2017.
Moreover, personal data of those customers who made certain purchases between January 1 and June 22, 2016, may have also been accessed by hackers.
The stolen data includes names, email addresses, phone numbers, gender, date of birth, zip code, physical address and banking details such as card information. To further investigate the issue, a cybersecurity forensic company is conducting investigations while police have also been informed.
“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” the company said.
“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused.”
More: 3,000 Databases with 200 Million Unique accounts found on Dark Web
More: Cybercriminals Selling Social Security Numbers of Infants on Dark Web
More: Equifax reveals additional 2.4 million users impacted from 2017 breach
Carl Wright, Chief Revenue Officer at AttackIQ told HackRead in an email comment that:
“A week barely passes without the disclosure of a significant breach these days. At some point, corporate executives and the Board of Directors will start asking how much of the information technology budget is being allocated to security control validation and testing. If it is less than 10% of the security budget, they may have some real challenges proving the security program is effective. It is far cheaper to continuously validate your security using attack simulation than recover from a breach.”
Mike Schuricht, VP Product Management, Bitglass:
“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically have a major blind spot with respect to its legacy or non-production systems.”
“As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”
Last year in December a similar breach took place in which Canadian bill payment management company TIO Networks that was bought by PayPal’s in July 2017 for $233 million (€196m) in cash suffered a data breach in which personal information of 1.6 million customers was stolen.
Image credit: Depositphotos