Orbitz, which is owned by Expedia, announced a possible data breach that might have impacted 880,000 payment cards.
Expedia provided information that cyber criminals accessed by Orbitz consumer and businesses partner platforms. Hackers were not able to access orbitz.com website. Expedia also indicated that they have become aware of the possible breach on March 1. The consumer side of Orbitz platform was accessible in the first half of 2016. The partner side of the platform was accessible from January 1, 2016, to December 22, 2017.
Exposed data could have included users’ payment card information, names, phone number, email and billing addresses.
Privacy advocate at Comparitech Paul Bishoff noted that users' passwords were not compromised.
To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information.
It is worth to mention that Expedia’s platform was not impacted.
Orbitz was acquired by Expedia in September 2015, only five months earlier before the breach occurred. The details how did the breach occurred are unknown and Orbitz has not shared any information about the data breach; except that the incident took place on one of Orbitz’ legacy systems.
It was mentioned that the potentially stolen data of 880,000 customers do not belong to any of the US consumers.
According to Tim Elin, Vice President, product management, and strategy at Tripwire, “the first rule in every publicly announced incident is that there’s always more to learn. I’m sure that there are more details about this incident that will shed additional light on the root causes and consequences.”
Expedia does not share details about the breach and it is still unclear how the data was breached, or if it was breached at all. There is also a possibility that the consumer data was exposed due to a misconfigured storage container. Misconfigurations enable hackers and cybercriminals to take advantage and get access to private or sensitive information. For instance, AWS, MongoDB and CouchDB incidents occurred due to misconfigurations in the databases.
In addition, 1.3 billion records were linked to 24 incidents that involved unsecured private databases and data stores that have been exposed to the public due to misconfigurations in servers from September 2017.
It is worth to mention that the hospitality sector has been one of the highest targeting sectors by hacker teams such as Carbanak cybercrime gang. The hacker group has stolen about one billion from financial institutions across the globe. According to the researchers, the group targets hospitality industry and restaurants with the most recent techniques and apply sophisticated viruses and other malware.