Skip to content
Naked Security Naked Security

880,000 payment cards affected in travel company data breach

Orbitz believes crooks may have gotten at customers' names, addresses, dates of birth, and more.

Travel booking website Orbitz says that a data breach has affected 880,000 payment cards.
The company discovered on 1 March that somebody or somebodies may have accessed customers’ full names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses, and genders.
So far, Orbitz hasn’t found any evidence of hackers having gotten at passport numbers or travel itineraries, and it looks like US customers’ taxpayer IDs weren’t involved (it doesn’t collect them or hold them on its platform).
The company said in an announcement on Tuesday that it discovered the breach while investigating a legacy Orbitz travel booking platform. Evidence points to an attacker having potentially accessed certain personal information of customers between 1 October 2017 and 22 December 2017. The personal information would have been that which was submitted for certain purchases made between 1 January 2016 and 22 June 2016 for Orbitz platform customers and between 1 January 2016 and 22 December 2017 for certain partners’ customers.


Orbitz immediately launched an investigation and bulked up its security, it said.
According to Engadget, Orbitz said that it doesn’t have direct evidence that this customer data was actually stolen.
But it sure wouldn’t be surprising if that was the case. After all, businesses related to travel are flush with stored IDs and payment data, all too often ripe for the picking.
Hotels and other travel businesses that have been plucked:

  • We saw 250 Hyatt hotels drained of payment card details in 2016.
  • Also in 2016, payment card slurping malware that infected the chain that owns Westin, Starwood, Marriott, Hyatt, Intercontinental and Le Méridien hotels – HEI Hotels & Resorts – was found on point-of-sale (POS) systems at several properties, letting crooks get at customers’ credit card details, including names, card account numbers, expiration dates, and verification codes.
  • The Trump Hotel chain was reportedly drained of payment card details at least as far back as February and up until at least July 2015.
  • In February 2014, it was White Lodging, the company behind the US hotel chains Hilton, Marriott, Sheraton and Westin, that reported that properties in six US cities had been leaking thousands of guests’ credit and debit card information throughout much of 2013.

And those are only a few of oh, so many breaches. Of course, POS malware doesn’t just wind up at hotels. It’s also frequently found at gas stations or other retail outlets.
Travel is ripe for rip-off, really: if some crook isn’t stealing payment card details at the POS device or online, you then have to watch out for hotel Wi-Fi over open, unencrypted connections, with all the dangers that brings. As we’ve said before, don’t drop your guard when you’re on the road!
Orbitz is offering affected customers one year of free credit monitoring and identity protection service in countries where it’s available.
If you’re in the US, you can sign up at https://orbitz.allclearid.com or by calling 1-855-828-3959. Affected customers outside of the US should call 1-512-201-2214 to learn about the resources available to them.


3 Comments

Isnt encryption part of security? Why aren’t these companies who hold customers sensitive data encrypting this information?

Reply

Because it’s less expensive and they don’t have to.

Reply

Yes, they do have to. PCI, the Payment Card Industry association has standards for data security that they enforce with hefty fines and/or removal of a company’s ability to accept cards. The level of required protection depends on the company’s sales volume, but includes encryption for most medium-to-large players. Having worked for an e-commerce company that went through PCI audits, I have seen that the standards are pretty strict, but the effectiveness of the auditors who verify compliance can be quite variable. It’s likely that the stolen payment information was encrypted (the article didn’t say), but it’s also possible that information was intercepted in transit before it was encrypted or that the encryption keys were not adequately protected.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!