Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

One year free credit monitoring

[El+Cubano]

One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.

Re:One year free credit monitoring

[ShanghaiBill]

To be fair though, credit cards themselves are a joke. Here is my 16 digit secret key. Please don't take more than you need.

Indeed. The root problem here is we base financial security on information that is both secret and widely known. Thousands of people have access to my SSN, and even more have access to my CC #s.

We should have 2FA for small transactions (debit cards already do this, as does ApplePay, Walmart-Pay, and WeChat), and 3FA for large transactions.

Re:One year free credit monitoring

[mjwx]

One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.

Actually the storing of card information, especially in an unencrypted or easily decrypted format is the joke here. If sites didn't store card information then we wouldn't have so much need for credit monitoring or so many freezes.

Re:One year free credit monitoring

[rickb928]

Chip & PIN, my friend. What you have (chip), what you know (PIN).

Widely used in the US, ubiquitous globally.

Re:One year free credit monitoring

[rickb928]

True, this is possibly a PCI compliance violation. PAN should be encrypted sufficiently to defeat realistic threats. Preventing acquisition isn't the standard.

Re:One year free credit monitoring

[rickb928]

Even better. Visa 3D Secure, Amex Safekey, MasterCard Securecode.

And your card data doesn't go to the merchant.

They got me - the dates match and it was Orbitz

[jhecht]

Bought an airline ticket from Orbitz Sept 2016, got hacked around Dec 1, 2017. So I'd say it not just "may have accessed."

Regulation - there should be more of it

[Zaelath]

Too many people are collecting data they don't need in the name of convenience and travel is at the top of the list. Losing the credit card details are trivially corrected; report it lost, new card, new number. But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix). The other details that can't be trivially changed, like your date of birth, shouldn't be allowed to be stored any more by intermediary companies. They can ask for them to process the transaction, but not store them.

Re:Regulation - there should be more of it

[ShanghaiBill]

But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).

This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.

People that suffer from CC fraud:
1. End users
2. Merchants

People that have the power to fix the problem:
1. Banks

Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.

Re:Regulation - there should be more of it

[mjwx]

But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).

This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.

People that suffer from CC fraud:
1. End users
2. Merchants

People that have the power to fix the problem:
1. Banks

You're correct up to here.

Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.

Banks actually lose money on fraud. You cant do a chargeback to a fake merchant set up in some shithole where criminals are pretty much permitted to get away with murder so long as they remain in a certain Vlad's favour. As soon as the first chargeback comes in, the merchant account is shuttered with the money already moved to other accounts and the start the whole thing over again with a new merchant account.

How banks make money is by skimming a few percent of every transaction done on credit. Even if it's in positive balance (I.E. using your own money) they still take 1-6% by charging the merchant to accept the card (meanwhile encouraging you to use it). You're 100% right that banks have the power to stop this and you're right that they're not doing it to protect profit but just wrong about the method. If banks actually implemented meaningful card security, they'd eliminate a vast percentage of fraud but it will involve making cards harder to use and this means people will just go back to cash because it's easier, this means the bank isn't getting a cut of everything you buy.

So banks wont introduce meaningful or effective card security because the amount of money they'd lose to other payment methods is significantly less than the amount they're currently losing to fraud.

Re:Regulation - there should be more of it

[rickb928]

In every way banks lose due to fraud. Think of it this way:

Your card data is used to purchase $30 of goods. Fraud is reported:

- Bank pays merchant as fraud isn't yet reported.
- Call or web site reporting the fraud. This has a cost.
- Reimbursement or suspense of charge to card holder, net revenue is now negative, you cannot recover payment to merchant.
- If merchant complied with standards, reimbursement is complete, or the chargeback is reversed, more costs.

That $30 charge will require $1000 in charges to recover the cost of the goods only, not including the costs associated with handling the issues for this transaction only. If, however, the charge is more like $500, well, lots of lost revenue here.

Banks have little incentive to tolerate outright fraud.

Worthless data

[SuperKendall]

Data from 2015/2016? Essentially worthless by now as those same numbers have been leaked/stolen many times over at this point.

See? There's a benefit to rampant corporate insecurity!

Gum maker has a travel site?

But why?

What does "a legacy travel booking platform" mean?

I can't help feeling that Orbitz is being deliberately obscure.

Is this a platform under the orbitz.com domain? Was it under a different domain? And why "a legacy"? Have they had a multitude of booking platforms?

Re:What does "a legacy travel booking platform" me

[Marc_Hawke]

That's what I want to know. If it wasn't Orbitz.com, what was it? Was it the 'old' orbitz.com before they were bought by Expedia? When were they bought by Expedia? My wife said, "Why do they call it Legacy, is it for old people?"

I have a good idea ..

[najajomo]

"Orbitz says a legacy travel booking platform may have been hacked .. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender"

I have a good idea, why not store the customer data in an encrypted form on the booking platform. That way, in the event Orbiz gets hacked, no customer information.