Personal information on as many as 880,000 payment cards was accessed in a security breach of the travel website Orbitz, company officials disclosed on March 20.
On March 1, the Expedia-owned site uncovered evidence of the unauthorized intrusion, which could affect thousands of customers. Orbitz determined that the personal information accessed may have included full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender.
“There was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers),” the company said about the security breach.
Orbitz has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. No social security numbers were accessed because the site does not collect them.
Orbitz officials said they have been notifying potentially impacted customers and business partners about the security breach.
The travel website said it took immediate steps to enhance security and monitoring of the affected platform.
“As part of the Company’s investigation and remediation work, Orbitz brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement, and took measures to effectively prevent any unauthorized access and enhance security,” officials said.