Travel company Orbits announced a security breach that compromised over 880,000 customer accounts over a two-year period from January 2016 – December 2017. Orbits is a travel and vacation package aggregator and direct competitor of Priceline.
According to Expedia, who owns Orbitz, “Criminals had access to Orbitz consumer and business partner platforms, but not the Orbitz.com website. The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacked between Jan. 1, 2016 and Dec. 22, 2017.”
According to the press release, the breach allowed attackers to steal names, dates of birth, billing addresses, email addresses. Expedia was clear to apologize but added that there was evidence that the data was actually stolen; I’d would love to have Expedia explain to me how they arrived at that conclusion (Hackers apparently just like to look at data for two years). There was no mention if passwords were also stolen. Expedia explained that the attack targeted third party vendors and not the Orbitz website.
Financially, this will likely have a negative impact on the valuation of parent company Expedia whose stock price has underperformed in the past year. Not only is the breach a reputational hit, it’s an unplanned expenditure of millions of dollars for the 880,000 customers who accept Expedia’s offer for credit monitoring because of the breach. I wonder if Expedia will contract with Experian to perform the monitoring service?
From a prevention perspective, it’s important to use unique passwords for each web property you interact with – Never reuse passwords! The lesson here is that if a hacker acquired your reused password at Orbitz, he/she would have it for other sites as well.
For Orbitz, the key takeaway is to be vigilant of your third-party vendors and their networks – especially their legacy systems. The days of making your vendors demonstrate the security of their networks is here.
What I find most interesting is American Express also revealed a breach recently blaming a third-party vendor just as Orbits has done. Neither company has identified the third-party vendor.