Expedia-owned travel booking site Orbitz has reported that payment information of as many as 880,000 credit cards along with other personal information have “likely” been stolen from its website servers.
What happened and when
According to Orbitz, on March 1, 2018, they have uncovered evidence of two separate breaches of their website platform that occurred between October 1, 2017 and December 22, 2017. In the first breach, the hackers accessed data related to purchases made on orbitz.com between Jan. 1, 2016, and June 22, 2016. In the second breach, the attackers accessed data used by partner sites (including the American Express site Amextravel.com) that used Orbitz to book travel between Jan. 1, 2016, and Dec. 22, 2017.
Orbitz maintains that this exposure affected its “older” website, and does not impact the current website platform.
What data was affected
Orbitz reports that the following information was exposed in these breaches: payment account information, customer’s full name, date of birth, phone number, email address, physical or billing address and gender. At this time, Orbitz has no evidence that other types of personal information, including passport, social security number or travel itinerary information was exposed.
Next steps and safeguards
As has become the norm, Orbitz is advising customers who suspect they were affected to monitor their payment account activity and credit reports. Orbitz is also offering affected customers one year of complimentary credit monitoring and identity protection service. Visit orbitz.allclearid.com for more information.