Orbitz hit with data breach, info on 880,000 payment cards at risk

News by Doug Olenick

The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.

The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.

The company, a subsidiary of Expedia, said in a statement that the payment card information was taken during a breach that hit its consumer and partner platforms. The exposed consumer data was taken from certain purchases made between January 1, 2016 and June 22, 2016, while information from purchases was exposed from the partner platform between January 1, 2016 and December 22, 2017.

Orbitz did not disclose the nature of the data breach, but a few industry executives believe either an Orbitz partner may be to blame or an internal staffer's credentials were compromised.

"Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.' It's not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn't provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.

However, Perry Chaffee, VP of strategy at authentication company WWPass, said that the target was stored in a centralised database that was most likely accessible to "trusted" admins who could have been compromised without their knowledge and that database was probably also accessible on the back end.

“According to Verizon's DBIR, there's an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack.  There's a 19 percent chance that access resulted from a more complex back-end attack, but I'd be more focused on the 4/5 chance that an admin's password was guessed, stolen, intercepted, or cracked,” he said.

The intrusion was discovered on March 1, 2018 and most likely took place between October 1, 2017 and December 22, 2017, Orbitz said. The company was conducting an investigation on an older Orbitz.com platform when its researchers found evidence that unauthorised access had been gained.

The information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. The company said that despite the information being unsecure it has not found any direct evidence that this personal information was actually taken from the platform.

“Our investigation to date has not found any evidence of unauthorised access to other types of personal information, including passport and travel itinerary information. For US customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” Orbitz said.

Orbitz was acquired by Expedia in February 2015 for $1.6 billion (£1.14 billion) in cash.

"Orbitz is not alone in its lack of visibility into some systems. Any organisation that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted,” said Mike Schuricht, VP product management for Bitglass.

George Avetisov, CEO of HYPR, said that while how part of the breach has not been made public the fact that this amount of personal information was stored in one locale is problematical.

“The Orbitz breach is yet another example of what happens when personal credentials are centralised. The centralisation of biometrics, pins, passwords, and credit cards has proven to create a single point of failure targeted by hackers. Large enterprises are moving towards decentralised authentication in order to prevent large scale breaches, eliminate fraud and ensure user privacy,” he told SC Media.


In an email to SC Media UK, Neil Haskins, director of advisory services EMEA adds: “The data that may have been accessed is extremely personal – we are talking names, dates of birth, email addresses, billing addresses, phone numbers and most importantly payment card information. With this information exposed, you can imagine the damage that could be done to the customers that have been affected – other than your inside leg measurement, I think the hackers have all the information they could possibly need.

“This is another case of companies not thinking like a hacker. It is suspected that the data was accessed through an older booking platform that may not have been front of mind for the internal security team, who would be more concerned with securing the current system. But hackers are resourceful, and will look to explore all potential avenues if the reward is big enough. Companies need to get into the mindset of a bad guy and stop ticking the audit boxes, as its proven these don't make you more secure. 

"Start giving your organisation a thorough assessment, not just IT but any vector that a bad guy might exploit, and if you don't know them, engage people that do. Ask yourself the simple questions, what is a bad guy after and how will he get it – production data sat in a development environment, a backup tape or an older platform? By doing this you can uncover vulnerabilities that you never thought were there, and hopefully stop breaches like this from happening.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews