Orbitz hit with data breach, info on 880,000 payment cards at risk
April 22, 2018
Seid Yassin (557 articles)

Orbitz hit with data breach, info on 880,000 payment cards at risk

The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.

The company, a subsidiary of Expedia, said in a statement that the payment card information was taken during a breach that hit its consumer and partner platforms. The exposed consumer data was taken from certain purchases made between January 1, 2016 and June 22, 2016, while information from purchases was exposed from the partner platform between January 1, 2016 and December 22, 2017.

Orbitz did not disclose the nature of the data breach, but a few industry executives believe either an Orbitz partner may be to blame or an internal staffer’s credentials were compromised.

“Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.’ It’s not entirely clear to me what the company is referring to, but by the sounds of it third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn’t provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.

However, Perry Chaffee, VP of strategy at authentication company WWPass, said that the target was stored in a centralised database that was most likely accessible to “trusted” admins who could have been compromised without their knowledge and that database was probably also accessible on the back end.

“According to Verizon’s DBIR, there’s an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack. There’s a 19 percent chance that access resulted from a more complex back-end attack, but I’d be more focused on the 4/5 chance that an admin’s password was guessed, stolen, intercepted, or cracked,” he said.

The intrusion was discovered on March 1, 2018 and most likely took place between October 1, 2017 and December 22, 2017, Orbitz said. The company was conducting an investigation on an older Orbitz.com platform when its researchers found evidence that unauthorised access had been gained.

The information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. The company said that despite the information being unsecure it has not found any direct evidence that this personal information was actually taken from the platform.

“Our investigation to date has not found any evidence of unauthorised access to other types of personal information, including passport and travel itinerary information. For US customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” Orbitz said.

Orbitz was acquired by Expedia in February 2015 for $1.6 billion (£1.14 billion) in cash.

Source | scmagazineuk