Orbitz Data Leak

It has been reported that US travel agent Orbitz may have been hacked, potentially exposing the personal information of people that made purchases between Jan. 1, 2016 and Dec. 22, 2017.

The company said Tuesday about 880,000 payment cards were impacted.

Orbitz said data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on this consumer and business partner platform between Oct. 1, 2017 and Dec. 22, 2017. IT security experts commented below.

Mark James, Security Specialist at ESET:

“Any data stolen during a data breach can and often is used for future spam campaigns, to steal more information or gain login credentials for other sites. It was stated that “the hacker accessed customer data from the previous two years — between January 2016 and December 2017 — which included names, dates of birth, postal and email addresses, gender, and payment card information.” They also stated that to their knowledge, there is no evidence of passport, social security info or travel information being stolen- the problem of course, would be that if you received an email out of the blue from a company you deal with, asking for information and citing DOB, gender and some of your payment information there’s a good chance you will act on their enquiries- or even give them any info they ask for.

Always be certain before you hand over any private info at all these days, regardless of the fact that the enquiring company may seem legit. If you have not personally initiated the request, then don’t be worried about verifying who they say they are- no legitimate company should penalise you for making sure. Data breaches are becoming a very common occurrence these days- with so much of our data available on the internet, we need to be extra careful about giving over more than we have too.”

Paul Bischoff, Privacy Advocate at Comparitech.com:

“The hack on Orbitz is quite severe, compromising an estimated 880,000 payment cards over a roughly 2-year period. Other personal information breached includes names, addresses, emails, birth dates, phone number, and gender. Passwords are notably absent from the list, so it would seem at this time that a password change will not be required for Orbitz customers. Furthermore, the company emphasizes its website—now owned by Expedia—was not hacked.

Little more information is currently available. Orbitz mentions it believes the hacker got into the “Orbitz consumer and business partner platform”. It’s not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn’t provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised.

At this time, people who have used Orbitz in the past should keep an eye on the story and strongly consider cancelling their credit and debit cards. It would also be wise for customers to place a 90-day fraud alert on their credit report, and take advantage of the free year of credit monitoring that Orbitz is offering those affected.”

Dr. Jamie Graves, CEO & Founder at ZoneFox:

“880,000 card details is not a data haul to be sniffed at. Orbitz – and their parent company Expedia – will need to act swiftly and effectively to inform and protect their customers.

This attack, which targeted a legacy system that was an active part of the Orbitz IT suite prior to Expedia’s acquisition in 2015, highlights the danger of third-party security. The platform has now resulted in a major headache for both companies.

It’s good that Orbitz is now working alongside forensic investigators to identify the weakness exploited, but would perhaps have been better served by identifying such vulnerabilities in 2015, rather than in retrospect. Security rules, technical defences and best practice is important to apply across third-party acquisitions in just the same way as the core business, with a full audit of legacy/unused systems undertaken at the same time. Verizon’s auditing of Yahoo! certainly raised some points last year.

When a company such as Expedia acquires another, they get everything, the whole package including legacy systems no longer in use. For attackers, such systems can be seen as an ideal backdoor into the network; rather than knocking on Orbitz’ front door and dealing with the security in place, the unlocked entry through a legacy system is far easier to target.”

Mike Schuricht, VP Product Management at Bitglass:

“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”

Willy Leichter, VP of Marketing at Virsec:

“First, it’s important to point out the Orbitz announced this breach relatively quickly – within 3 weeks. That may not sound fast, but compared to Equifax (6+ months) and Uber (never, until they got caught), Orbitz did theright thing.

“What’s more unsettling is the idea that sensitive data for close to a million customers was available in a “legacy website.” That makes it sound like it’s OK to neglect security on older systems while you focus on your latest, coolest apps. If it’s a public-facing website with real data, it’s not legacy – it’s live, and a real liability.”

Carl Wright, Chief Revenue Officer at AttackIQ:

“A week barely passes without the disclosure of a significant breach these days.  At some point, corporate executives and the Board of Directors will start asking how much of the information technology budget is being allocated to security control validation and testing.  If it is less than 10% of the security budget, they may have some real challenges proving the security program is effective.  It is far cheaper to continuously validate your security using attack simulation than recover from a breach.”