Orbitz announced today that it has discovered evidence of a data breach. Between October and December of last year, hackers may have accessed consumer data submitted to a legacy website between January 1, 2016 and June 22, 2016. Additionally, Orbitz partner platform data submitted between January 1, 2016 and December 22, 2017 may also have been breached. The company discovered signs of the breach on March 1st and estimates that approximately 880,000 credit cards may have been impacted. While social security numbers, passport and travel itinerary information don’t appear to have been accessed, names, payment card information, dates of birth, phone numbers, email addresses, physical and billing addresses and gender may have been. However, Orbitz says that it doesn’t have direct evidence that any of this information was actually stolen.
“Ensuring the safety and security of the personal data of our customers and our partners’ customers is very important to us,” Orbitz said in a statement. “We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners.” The company said that it is notifying those that might have been impacted by the breach and is offering a year of complimentary credit monitoring and identity protection services. It’s also offering to assist its affected partners in notifying their customers.
Orbitz, which is owned by Expedia, said that its current website was not affected by the breach. “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said. “As part of our investigation and remediation work, we brought in a leading third party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform.”