Popular Travel Site Gets Hacked... Orbitz Customers Beware


Popular travel-booking site Orbitz has likely been hacked, potentially exposing payment card information for people that bought plane tickets or booked hotel rooms over the course of two years.

The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted, along with other personal information, like names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses and gender.

The company said evidence suggests an attacker may have accessed information stored on a legacy e-commerce platform during two periods: 1 January through 22 June 2016 and 1 October to 22 December 2017.

"We determined on March 1, 2018, that there was evidence suggesting that an attacker may have accessed personal information stored on this consumer and business partner platform,” the Expedia-owned site said in a media statement. “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform. To date, we do not have direct evidence that this personal information was actually taken from the platform. We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners."

Orbitz is offering customers a year of free credit monitoring; yet Nathan Wenzler, chief security strategist at San Francisco-based security consulting company AsTech, said that more is needed.

“Another day, another breach. And while the attackers show no signs of slowing down, companies really need to do more than just provide users a free year of credit monitoring services and consider their work done,” he said via email. “Legacy systems are common attack points, as they are often neglected, go without updates or patches and are commonly not monitored, which gives criminals an ideal avenue to gain access and steal whatever data may be resident there. In this case, it was nearly 900,000 credit card accounts. Credit monitoring may be a nice PR gesture, but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data, no matter where it lives.”

So what can you do if you think your information is at risk? First you need to make sure you are doing everything you can to protect yourself. Find out what to do:


If you think you have been exposed, contact us for help to see what damage has been done and how we can help get you recovered.