Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."

One year free credit monitoring

[El+Cubano]

One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.

Re:One year free credit monitoring

[mjwx]

One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.

Actually the storing of card information, especially in an unencrypted or easily decrypted format is the joke here. If sites didn't store card information then we wouldn't have so much need for credit monitoring or so many freezes.

They got me - the dates match and it was Orbitz

[jhecht]

Bought an airline ticket from Orbitz Sept 2016, got hacked around Dec 1, 2017. So I'd say it not just "may have accessed."

Worthless data

[SuperKendall]

Data from 2015/2016? Essentially worthless by now as those same numbers have been leaked/stolen many times over at this point.

See? There's a benefit to rampant corporate insecurity!

Re:Regulation - there should be more of it

[ShanghaiBill]

But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).

This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.

People that suffer from CC fraud:
1. End users
2. Merchants

People that have the power to fix the problem:
1. Banks

Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.