Another day, another breach. Today, online travel agency Orbitz disclosed that hackers managed to get both credit card data and personal information (though no Social Security numbers and passwords) from users who made their travel purchases on the site between January 1, 2016 and December 22, 2017. In total, the company says, that’s about 880,000 payment cards that were accessed from what the company calls a “legacy Orbitz platform.”
The hackers also likely accessed other data, like names, physical or mailing addresses, birth dates, email addresses, phone numbers and the customer’s gender while they were in the systems between October and December 2017. It’s unclear whether the hackers also downloaded this data. In a statement, though, Orbitz told us that it has found no “direct evidence that this personal information was actually taken from the platform.”
Orbitz, which has been part of the Expedia empire of travel sites since it was acquired in 2015, says that it has updated its security posture since discovering the breach on March 1. The company also notes that its current site is not affected by this breach and that it brought in third-party experts and a forensic investigation firm, as well as law enforcement, to “eliminate and prevent unauthorized access to the platform.”
While this breach isn’t at the level of the giant Equifax and Yahoo hacks, here is yet another company that couldn’t keep your data safe. Indeed, at this point, you can pretty much assume that all of your personal data and likely your passwords and credit cards, too, are up for sale in one of the darker parts of the internet.
Orbitz is notifying customers whose data has been affected and will offer them the standard complimentary year of credit monitoring and identity protection services that pretty much every company now offers customers who were affected by a breach (to the point where many a U.S. consumer probably has access to multiple of these services at the same time).