Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards (usnews.com)

← Back to Stories (view on slashdot.org)

Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards (usnews.com)

Posted by BeauHD on Tuesday March 20, 2018 @12:10PM from the heads-up dept.

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

29 comments

Min score:

Reason:

Sort:

Bitcoin by Anonymous Coward · 2018-03-20 12:14 · Score: 0

This is why i only pay for my travel with bitcoin.
1. Re:Bitcoin by Anonymous Coward · 2018-03-20 19:18 · Score: 0, Funny
  
  aka Pedocoins.
One year free credit monitoring by El+Cubano · 2018-03-20 12:18 · Score: 5, Interesting

One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.
1. Re:One year free credit monitoring by Anonymous Coward · 2018-03-20 12:45 · Score: 0
  
  To be fair though, credit cards themselves are a joke. Here is my 16 digit secret key. Please don't take more than you need. Please don't share it with others and rob me blind or else I might be able to make a claim and recover my funds. (Maybe. If I happen to notice it.)
  Really, what a joke that all is.
2. Re:One year free credit monitoring by ShanghaiBill · 2018-03-20 13:40 · Score: 1
  
  To be fair though, credit cards themselves are a joke. Here is my 16 digit secret key. Please don't take more than you need.
  Indeed. The root problem here is we base financial security on information that is both secret and widely known. Thousands of people have access to my SSN, and even more have access to my CC #s.
  We should have 2FA for small transactions (debit cards already do this, as does ApplePay, Walmart-Pay, and WeChat), and 3FA for large transactions.
3. Re:One year free credit monitoring by Anonymous Coward · 2018-03-20 13:42 · Score: 0
  
  And, they're not even really offering that to many of their customers. We spend well into six figures a year with them since they're across 4th in Bellevue, WA from us and they're not offering that protection to our employees that used their personal credit cards and entered their names with middle name and DOB. Sucks to force employees to use Orbit Z then have them screw them like that.
4. Re:One year free credit monitoring by mjwx · 2018-03-21 01:01 · Score: 2
  
  One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.
  Actually the storing of card information, especially in an unencrypted or easily decrypted format is the joke here. If sites didn't store card information then we wouldn't have so much need for credit monitoring or so many freezes.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
5. Re:One year free credit monitoring by rickb928 · 2018-03-21 01:50 · Score: 1
  
  Chip & PIN, my friend. What you have (chip), what you know (PIN).
  Widely used in the US, ubiquitous globally.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
6. Re:One year free credit monitoring by rickb928 · 2018-03-21 01:51 · Score: 1
  
  True, this is possibly a PCI compliance violation. PAN should be encrypted sufficiently to defeat realistic threats. Preventing acquisition isn't the standard.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
7. Re:One year free credit monitoring by Anonymous Coward · 2018-03-21 06:37 · Score: 0
  
  Let me know where on my monitor I can insert my card's chip for online purchases.
8. Re:One year free credit monitoring by rickb928 · 2018-03-21 07:04 · Score: 1
  
  Even better. Visa 3D Secure, Amex Safekey, MasterCard Securecode.
  And your card data doesn't go to the merchant.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
They got me - the dates match and it was Orbitz by jhecht · 2018-03-20 12:40 · Score: 2

Bought an airline ticket from Orbitz Sept 2016, got hacked around Dec 1, 2017. So I'd say it not just "may have accessed."
Regulation - there should be more of it by Zaelath · 2018-03-20 12:46 · Score: 1

Too many people are collecting data they don't need in the name of convenience and travel is at the top of the list. Losing the credit card details are trivially corrected; report it lost, new card, new number. But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix). The other details that can't be trivially changed, like your date of birth, shouldn't be allowed to be stored any more by intermediary companies. They can ask for them to process the transaction, but not store them.
1. Re:Regulation - there should be more of it by ShanghaiBill · 2018-03-20 13:51 · Score: 3, Interesting
  
  But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).
  This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.
  People that suffer from CC fraud:
  1. End users
  2. Merchants
  People that have the power to fix the problem:
  1. Banks
  Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.
2. Re:Regulation - there should be more of it by mjwx · 2018-03-21 01:09 · Score: 1
  
  But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).
  This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.
  People that suffer from CC fraud:
  1. End users
  2. Merchants
  People that have the power to fix the problem:
  1. Banks
  You're correct up to here.
  
  Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.
  Banks actually lose money on fraud. You cant do a chargeback to a fake merchant set up in some shithole where criminals are pretty much permitted to get away with murder so long as they remain in a certain Vlad's favour. As soon as the first chargeback comes in, the merchant account is shuttered with the money already moved to other accounts and the start the whole thing over again with a new merchant account.
  
  How banks make money is by skimming a few percent of every transaction done on credit. Even if it's in positive balance (I.E. using your own money) they still take 1-6% by charging the merchant to accept the card (meanwhile encouraging you to use it). You're 100% right that banks have the power to stop this and you're right that they're not doing it to protect profit but just wrong about the method. If banks actually implemented meaningful card security, they'd eliminate a vast percentage of fraud but it will involve making cards harder to use and this means people will just go back to cash because it's easier, this means the bank isn't getting a cut of everything you buy.
  
  So banks wont introduce meaningful or effective card security because the amount of money they'd lose to other payment methods is significantly less than the amount they're currently losing to fraud.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
3. Re:Regulation - there should be more of it by rickb928 · 2018-03-21 01:58 · Score: 1
  
  In every way banks lose due to fraud. Think of it this way:
  Your card data is used to purchase $30 of goods. Fraud is reported:
  - Bank pays merchant as fraud isn't yet reported.
  - Call or web site reporting the fraud. This has a cost.
  - Reimbursement or suspense of charge to card holder, net revenue is now negative, you cannot recover payment to merchant.
  - If merchant complied with standards, reimbursement is complete, or the chargeback is reversed, more costs.
  That $30 charge will require $1000 in charges to recover the cost of the goods only, not including the costs associated with handling the issues for this transaction only. If, however, the charge is more like $500, well, lots of lost revenue here.
  Banks have little incentive to tolerate outright fraud.
  
  --
  deleting the extra space after periods so i can stay relevant, yeah.
Very common,no updates of the CMS just the content by Anonymous Coward · 2018-03-20 13:13 · Score: 0

You set up a website, all nice content editors and such. you update the content for years, but not once does anyone update the underlying content management system... a short time later, its hacked... as script kiddies are constantly looking for known backdoors to content management systems.
The moral of the story. Update your CMS as well as the content, regularly!
Apathy or Compliance? by Anonymous Coward · 2018-03-20 13:36 · Score: 0

Wait.. is this so "expected" that there is no response from the community? Are we collectively numb from the numbers? I'd hate to think that a lack of response.. is either apathy or compliance...
Worthless data by SuperKendall · 2018-03-20 13:42 · Score: 2

Data from 2015/2016? Essentially worthless by now as those same numbers have been leaked/stolen many times over at this point.
See? There's a benefit to rampant corporate insecurity!

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Someone needs to sue Microsoft... by Anonymous Coward · 2018-03-20 13:45 · Score: 0

since they founded Expedia that has had constant major problems with credit cards, and they bought Orbit Z as of three years ago. Several of my friends that worked for Microsoft, err I mean Expedia, lost their job in that acquisition. Just sucks that Expedia hasn't learned their less wrt security.
Gum maker has a travel site? by Anonymous Coward · 2018-03-20 13:50 · Score: 1

But why?
What does "a legacy travel booking platform" mean? by Anonymous Coward · 2018-03-20 17:58 · Score: 1

I can't help feeling that Orbitz is being deliberately obscure.
Is this a platform under the orbitz.com domain? Was it under a different domain? And why "a legacy"? Have they had a multitude of booking platforms?
What a lame response by Anonymous Coward · 2018-03-20 21:01 · Score: 0

So we allowed your personal information to be hacked so here's your one year free credit monitoring. Yes, information probably old, but some of it is probably still valid and could be used. Otherwise why would anyone bother to hack it?
What was the point? by Anonymous Coward · 2018-03-20 21:18 · Score: 0

Russia is a tyranny, it's literaly useless to take anything to any court there, it will always rule in favour of Tsar Putin.
All this has done has put Telegraph execs of risk of being poisoned.
Re:What does "a legacy travel booking platform" me by Anonymous Coward · 2018-03-20 23:32 · Score: 0

The legacy platform was under orbitz.com. The current platform is now Expedia, with Orbitz branding.
Re:What does "a legacy travel booking platform" me by Marc_Hawke · 2018-03-21 01:19 · Score: 1

That's what I want to know. If it wasn't Orbitz.com, what was it? Was it the 'old' orbitz.com before they were bought by Expedia? When were they bought by Expedia? My wife said, "Why do they call it Legacy, is it for old people?"

--
--Welcome to the Realm of the Hawke--
Re:What does "a legacy travel booking platform" me by Anonymous Coward · 2018-03-21 02:50 · Score: 0

it sounds to me that they didn't bother taking the old site offline....and probably weren't patching it either..
I have a good idea .. by najajomo · 2018-03-21 03:42 · Score: 1

"Orbitz says a legacy travel booking platform may have been hacked .. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender"

I have a good idea, why not store the customer data in an encrypted form on the booking platform. That way, in the event Orbiz gets hacked, no customer information.