880,000 payment cards data breached in Orbitz security incident

Travel booking website Orbitz, part of online travel agency Expedia, confirmed a data security incident was detected on March 1, possibly exposing the personal information associated with some 880,000 payments cards.

The breach affected both the partner and consumers platforms between 2016 and 2017. American Express announced its platforms have not been compromised.

“We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” Orbitz said. “As part of our investigation and remediation work, we brought in a leading third-party forensic investigation firm and other cybersecurity experts, began working with law enforcement and took swift action to eliminate and prevent unauthorized access to the platform.”

Following the investigation the company believes hackers may have accessed names, payment card information, dates of birth, phone numbers, email addresses, physical and/or billing addresses and gender. Attackers did not have access to social security numbers (for US customers), passport and travel information and there is no strong evidence that any data was stolen as a result of this incident.

“To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,” Orbitz said.

Orbitz is reaching out to all affected customers and offers credit monitoring and identity protection free of charge for one year.