The online travel company Orbitz has suffered a major data breach possibly exposing the personal information associated with the owners of up to 880,000 payment cards.
The company, a subsidiary of Expedia, said in a statement that the payment card information was taken during a breach that hit its consumer and partner platforms. The exposed consumer data was taken from certain purchases made between January 1, 2016, and June 22, 2016, while information from purchases was exposed from the partner platform between January 1, 2016, and December 22, 2017.
Orbitz did not disclose the nature of the data breach, but a few industry executives believe either an Orbitz partner may be to blame or an internal staffer's credentials were compromised.
"Orbitz mentions it believes the hacker got into the ‘Orbitz consumer and business partner platform.' It's not entirely clear to me what the company is referring to, but by the sounds of it, third parties are able to access Orbitz customer information, which for some reason includes payment card details. Orbitz hasn't provided any additional details about how the breach occurred, but I suspect one of the partners on this platform was compromised,” said Paul Bischoff, privacy advocate at Comparitech.com.
However, Perry Chaffee, VP of strategy at authentication company WWPass, said that the target was stored in a centralized database that was most likely accessible to "trusted" admins who could have been compromised without their knowledge and that database was probably also accessible on the back end.
“According to Verizon's DBIR, there's an 81 percent probability that the compromised credentials of a trusted admin were the root cause of this attack. There's a 19 percent chance that access resulted from a more complex back-end attack, but I'd be more focused on the 4/5 chance that an admin's password was guessed, stolen, intercepted, or cracked,” he said.
The intrusion was discovered on March 1, 2018, and most likely took place between October 1, 2017, and December 22, 2017, Orbitz said. The company was conducting an investigation on an older Orbitz.com platform when its researchers found evidence that unauthorized access had been gained.
The information that was likely accessed may include full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. The company said that despite the information being unsecured it has not found any direct evidence that this personal information was actually taken from the platform.
“Our investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. For U.S. customers, Social Security numbers were not involved in this incident, as they are not collected nor held on the platform,” Orbitz said.
Orbitz was acquired by Expedia in February 2015 for $1.6 billion in cash.
"Orbitz is not alone in its lack of visibility into some systems. Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems. As is the case with most audits and post-mortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted,” said Mike Schuricht, VP product management for Bitglass.
George Avetisov, CEO of HYPR, said that while how part of the breach has not been made public the fact that this amount of personal information was stored in one locale is problematical.
“The Orbitz breach is yet another example of what happens when personal credentials are centralized. The centralization of biometrics, pins, passwords, and credit cards has proven to create a single point of failure targeted by hackers. Large enterprises are moving towards decentralized authentication in order to prevent large-scale breaches, eliminate fraud and ensure user privacy,” he told SC Media.