Orbitz says data breach might have hit 800,000 payment cards
SAN FRANCISCO – As many as
800,000 payment cards used on Orbitz.com in 2016 may have been breached, Orbitz’s parent company Expedia said Tuesday.
The online travel agency reported two separate data disclosures.
An attacker may have accessed customers’ personal information for some purchases made on Orbitz.com between Jan. 1, 2016, and June 22, 2016.
In addition, customer information from multiple travel sites that used Orbitz as their booking engine was possibly compromised between Jan. 1
2016, and Dec. 22, 2016.
One of the affected sites was American Express, which in a statement said it was contacting the affected customers.
The breach affected Amextravel.com and travel booked through Amex Travel Representatives. American Express Global Business Travel and the AmericanExpress.com website were not affected, the company said.
Expedia did not say what other partner platforms were affected.
The Orbitz.com breach was discovered on March 1. It appears to have taken place between Oct. 1, 2017, and Dec.
22, 2017. At that time, the attacker might have accessed personal information stored on Orbitz.com and its partner platform from 2016.
The current Orbitz.com site was not involved, Expedia said. Orbitz is a subsidiary of travel site Expedia, which purchased it in 2015.
According to Expedia, information that was likely accessed could include the customer’s full name, payment card information, date of birth, phone number, email address, physical and/ or billing address and gender.
Expedia said it is notifying all affected customers and partners.