Hacker Accessed Customer Data From Orbitz Legacy System

Popular travel booking site Orbitz, owned by Expedia, confirmed yesterday that it “identified and remediated a data security incident affecting a legacy travel booking platform.” The company explained that a hack late last year exposed customer data and billing information spanning two years. Personal data may have included birth dates, mailing addresses, email addresses, gender, payment card info, and more. According to Orbitz, about 880,000 credit cards may have been affected. However, the company noted that the current Orbitz.com site was not breached.

“The company doesn’t have evidence that the information was actually taken,” reports Digital Trends, “but the access means user data could have been stolen.” When Orbitz discovered the attack earlier this month it contacted law enforcement and hired a forensic investigative firm.


“Orbitz said that, along with billing information, the hack also could have exposed other personal data including names, emails, phone numbers, billing addresses, and gender. The company’s investigation also suggests that travel itineraries, passport information, and social security numbers were not part of the hack.”

Virsec Systems cybersecurity expert Willy Leichter explained, “it’s important to point out the Orbitz announced this breach relatively quickly — within 3 weeks. That may not sound fast, but compared to Equifax (6+ months) and Uber (never, until they got caught), Orbitz did the right thing.”

However, he added: “What’s more unsettling is the idea that sensitive data for close to a million customers was available in a ‘legacy website.’ That makes it sound like it’s okay to neglect security on older systems while you focus on your latest, coolest apps. If it’s a public-facing website with real data, it’s not legacy — it’s live, and a real liability.”

Other travel platforms such as Sabre and TripAdvisor have been targeted in the past.

“We are working quickly to notify impacted customers and partners,” notes an Orbitz statement, as reported by ZDNet. “We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available.”