A travel website Orbitz.com owned by Expedia Inc. has suffered a massive data breach in which personal and financial details of over 800,000 registered customers may have been stolen by unknown hackers.
In a statement, the company said that the breach was identified on March 1st, 2018 after an in-depth investigation conducted by information security training researchers by Orbitz. The breach took place between October 2017 to December 2017 when hackers accessed a legacy travel booking platform and stole two years worth of data from January 2016 and December 2017.
Moreover, personal data of those customers who made certain purchases between January and June, 2016, may have also been accessed by hackers.
The stolen data includes names, email addresses, phone numbers, gender, date of birth, zip code, physical address and banking details such as card information. To further investigate the issue, an information security forensic company is conducting investigations while police have also been informed.
“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” the company said.
Carl Wright, Chief Revenue Officer at AttackIQ told in an email that: “A week barely passes without the disclosure of a significant breach these days. At some point, corporate executives and the Board of Directors will start asking how much of the information technology budget is being allocated to security control validation and testing. If it is less than 10% of the security budget, they may have some real challenges proving the security program is effective. It is far cheaper to continuously validate your security using attack simulation than recover from a breach.”
“Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically have a major blind spot with respect to its legacy or non-production systems”, information security training analysts said.
“As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”
Last year in December a similar breach took place in which Canadian bill payment management company TIO Networks that was bought by PayPal’s in July 2017 for $233 million (€196m) in cash suffered a data breach in which personal information of 1.6 million customers was stolen.