Orbitz Socked with Data Breach

March 23, 2018         By: Steven Anderson

It’s a good news / bad news situation out of Orbitz, as reports note the travel website—a subsidiary of other travel website Expedia—took a data breach back around early 2016, and it’s just now coming to light. That’s the bad news. The good news, however, is that the actual information involved in the hacking may not have been that extensive.

The investigation that revealed the breach in the first place, which took place this month, suggests that it may have happened sometime between January 1 and June 22, all in 2016. The actual website wasn’t affected by the hit, but the consumer platform was, and that hackers would have been able to access personal information from right around 880,000 cards total.

This may have included some fairly sensitive but also likely available already information such as names, phone numbers and billing addresses, the kind of thing you can find in any standard phone book. Email addresses, only slightly harder to come by, may also have been involved.

Orbitz, however, noted that while the information may have been exposed, there was no evidence to indicate that it had actually been taken. There was also no information suggesting that passport or itinerary information had been taken either, and Social Security numbers were also safe. In something of a side note, American Express revealed that the attack on Orbitz hadn’t actually compromised any of its own systems.

Breaches in the travel sector are nothing new—from hotels to other travel sites, we’ve seen plenty of late—but thankfully, it seems that the fallout here is likely minimal. This data breach took place over a year ago, at minimum, and possibly better than two years ago; if someone by now hasn’t noticed an impact, then chances are there never was an impact to begin with. It’s easy to forget sometimes that there are several degrees of hacker; some just want information, while others of a much less scrupulous sort take that information and do unpleasant things with it.

In this case, it might well have just been someone wanting to prove they could breach Orbitz, or just wanting to see if they recognized some names. Not legal or proper, of course, but certainly better than the alternatives.