Orbitz Data Security Breach Likely Impacted Hundreds of Thousands of Users
by Richard D’Ambrosio /
Orbitz announced today that security was breached on 880,000 payment forms, and that customers associated with those forms of payment may have had their personal information breached during a hacking incident in 2017.
In a statement, the company said that “while conducting an investigation of a legacy Orbitz platform, we determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed personal information stored on a consumer platform” for “certain purchases made between January 1, 2016 and June 22, 2016.”
For an Orbitz partner platform, “our investigation determined that the attacker may have accessed personal information that was submitted for certain purchases made between January 1, 2016 and December 22, 2017.”
Customers and partners are being notified about what personal information may have been accessed in the incident, the company said, adding that the “current Orbitz.com website was not in any way involved in this incident.”
Orbitz said it has taken “immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” including bringing in a third party forensic investigation firm and other cybersecurity experts, “to eliminate and prevent unauthorized access to the platform.”
Information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender.
“To date, we do not have direct evidence that this personal information was actually taken from the platform,” Orbitz said. “Our investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information.”
“For U.S. customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” said Orbitz.
Orbitz is offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. “Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary.”