March 22, 2018 at
Popular travel booking system, Orbitz, has announced that their legacy website has suffered a security breach. In the neighborhood of 880,000 customers who used their public facing website between January and July of 2017 may have been exposed to hackers via a breach in an older version of their website. Orbitz announced this potential exposure on March 20, only three weeks after it discovered the breach. Orbitz is an Expedia Inc. owned branch that assists customers in booking flights, hotels, cruises, and rental cars.
Compromised information, potentially
According to Orbitz, it is not yet clear if user data was actually compromised or stolen, only that their system had been breached and user data was accessible to the hackers. Information including credit card data, names, addresses, emails, phone numbers, and gender could have potentially been stolen. The security team at Orbitz has said that social security numbers, passport data, and flight itineraries were not part of the breached information. A deeper investigation into the hack is ongoing, and Orbitz has hired a forensic investigative firm and a law firm in order to clear the issue up. As more information about the attack surfaces, Orbitz will keep its customers in the loop.
For users who could potentially have been affected by this hack, Orbitz is offering to pay for a year’s worth of credit monitoring. Orbitz issued an apology statement, saying that the company regrets the breach and is committed to making it right and gaining consumer trust back. Orbitz is taking steps to notify the 880,000 affected users, but users can reach out to them at855-828-3959 in the U.S. or 512-201-2214 outside the U.S. for more information.
Competent handling of a preventable breach
Willy Leichtera is a cybersecurity expert at Virsec Systems, and he says that Orbitz’ handling of this issue is commendable. When he compares the actions that Orbitz has taken with those of other breached companies, he is impressed with the three weeks turn around on admitting the breach, as well as the quick action to make things right. He cites Equifax taking more than 6 months to own up to a breach, and Uber hiding a hack until it was discovered independently, as more common, and less impressive ways of handling this kind of incident.
Although Orbitz is doing a good job mitigating the damage, Leichtera says this should never have happened at all. Orbitz claims that the information was accessed through a legacy site, but Leichtera says that an active public facing site does not qualify. The fact that Orbitz has moved traffic to their newer cite should not have taken away from security measures protecting the older site.
Hackers like travel companies
Travel agencies are lucrative targets for hackers since so much personal information is necessary when booking travel tickets and hotel rooms. Other notable examples of travel agency hacks include last year’s Sabre hack and the 2011 TripAdvisor hack. The Sabre attackers managed to steal around 15% of users data, including contact information and payment information. The TripAdvisor breach lost email addresses to hackers, but there was no payment data on file.