Orbitz: Hackers likely stole credit card details of nearly 900K Orbitz users

Orbitz, which is owned by Expedia, said its legacy platform may have been hacked and the personal information of customers who made purchases online between Jan 1, 2016 and Dec 22, 2017 may have been exposed. Hackers likely gained access to 880,000 payment cards as well as accessed the following personal information: full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender.

Orbitz announced the “data security incident” on March 20, saying:

While conducting an investigation of a legacy Orbitz travel booking platform (the “platform”), Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers). Orbitz immediately began investigating the incident and made every effort to remediate the issue, including taking swift action to eliminate and prevent unauthorized access to the platform.

Orbitz claims to have immediately brought in third-party forensic investigators after determining there was “likely unauthorized access.”

“Orbitz is not alone in its lack of visibility into some systems,” said Mike Schuricht, VP of product management at Bitglass. Schuricht added: