Incident Of The Week: Orbitz Data Breach Exposes 880K Accounts



Dan Gunderman
03/23/2018

[Featured Photo Credit: Chris Dorney / Shutterstock.com]

In the dynamic world of cyber security, breaches are both tightly guarded and, sadly, imminent.

Combing through data, market research and threat-defense efforts taken by enterprises can be a daunting task. Here at Cyber Security Hub, we both track the latest industry news and make it more navigable for the IT professional. CSHub coverage extends outwards – as it helps enterprises batten down their proverbial hatches.

In this edition of “Incident of the Week,” we examine a potential data breach at Orbitz, a subsidiary of Expedia Inc., an online travel agency. Orbitz, which aggregates travel fare, was believed to have been vulnerable to the possible exfiltration of sensitive data.

Reports of the potential breach surfaced on Tuesday, and Orbitz said that hackers may have tapped into about 880,000 payment cards.

In a media release on the incident provided to the Cyber Security Hub, Orbitz said that the breach has been “remediated,” and involved a legacy travel booking platform.

According to the release, Orbitz determined on March 1, 2018 that a hacker may have accessed personal information stored on a consumer and business partner platform between Oct. 1, 2017 and Dec. 22, 2017.

See Related: Overwhelming Majority Of Businesses Have No Cyber Incident Response Plan

“We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” the company said. “As part of our investigation and remediation work, we brought in a leading third party forensic investigation firm and other cyber security experts, began working with law enforcement, and took swift action to eliminate and prevent unauthorized access to the platform.”

The Orbitz.com website was reportedly not involved in the incident. Consumer platform data from purchases made between Jan. 1, 2016 and June 22, 2016 was at risk. The company said “the attacker may have accessed personal information that was submitted…”

For the partner platform, Orbitz said that the purchase period of note was between Jan. 1, 2016 and Dec. 22, 2017.

Incident Response IOTW Incident of the Week Cyber Security

As mentioned, the estimated number of potentially impacted payment cards is 880,000. The personally identifiable information (PII) that may have been lifted includes: name, payment information, date of birth, phone number, email address, physical address and gender, according to the release.

“To date, we do not have direct evidence that this personal information was actually taken from the platform,” it reads. “(Also), our investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information.”

The company also suggests that Social Security numbers were not impacted by the potential exposure – because they are not collected or held on the platform.

See Related: Incident Of The Week: Server Configuration Error Exposes 33K Healthcare Records

“We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners,” the company writes.

Those affected are being offered one year of credit monitoring and identity protection service. Partners are being provided with complimentary customer notice support. Any impacted individual is asked to closely monitor their financial and identifying information.

On the same exposure, American Express Co. said in a statement that the Orbitz incident did not impact its systems, according to Reuters.

It’s not the first time that a big player in the travel industry has been targeted by hackers. Both InterContinental Hotels Group Plc. and Hyatt Hotels Corp. also fell under black-hat crosshairs in 2017.

At midweek, the Expedia share fell approximately 2%, to $108.99, Reuters notes. Late-day Thursday, the stock price for the online travel booker was $106.98. While not a precipitous drop, it offers evidence as to the significance of enterprise security.

Importance Of Resources

Furthermore, although speaking about federal agencies and critical infrastructures at a recent Consortium for IT Software Quality event, Jeanette Manfra explained that breach prevention is a matter of resource allocation.

Manfra, National Protection and Programs Directorate Assistant Secretary for the Office of Cyber Security and Communications at the DHS, said that in picking and choosing where to focus cyber resources, other doors open for malicious activity.

According to the Federal Times, she said, “We cannot apply all of our resources equally across all of our systems. That does mean that there are going to be some issues where you do potentially have breaches because we choose to prioritize the resources toward other systems. That is not an enticing scenario for many...”

The same report suggests that Manfra categorized cyber-threats as “increasingly persistent,” while “cyber hygiene” has not been able to “keep pace."

What issues plague the public sector frequently impact the private sector -- as security teams try to grasp the morphing threat landscape.

Be Sure To Check Out: Incident Of The Week: Historic DDoS Attacks Strike GitHub, Service Provider