Tavel website Orbitz announced on Wednesday that hackers may have accessed personal details as well as payment card information of about 880,000 customers after breaching one of its legacy travel booking platforms.
Orbitz said it discovered the massive breach earlier this month while conducting an investigation into the travel booking platform. It added that the suspected hackers infiltrated the website between October 1, 2017 and December 22, 2017 to carry out their activities.
Hackers stole merrily for two months without being spotted
"Between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers)," it added.
According to Orbitz, which is a subsidiary of Expedia Inc., personal information of customers that were stolen by hackers included full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender. It added that the attackers could not gain access to passport and travel itinerary information of customers.
Following its discovery of the breach, Orbitz hired a leading third-party forensic investigation firm and other cybersecurity experts to investigate the breach, took measures to effectively prevent any unauthorized access and enhance website security, and is also working with law enforcement agencies.
In order to compensate for the breach, Orbitz said it is offering one year of complimentary credit monitoring and identity protection service to all affected customers, whether they reside in the US or in other countries.
Commenting on how hackers could lurk around Orbitz' websites that stored personal information of customers for a long time without getting detected, Neil Haskins, director of advisory services EMEA at IOActive, said that the breach exposed poor security controls implemented by Orbitz that allowed hackers to all they information they could possibly need.
"This is another case of companies not thinking like a hacker. It is suspected that the data was accessed through an older booking platform that may not have been front of mind for the internal security team, who would be more concerned with securing the current system. But hackers are resourceful, and will look to explore all potential avenues if the reward is big enough.
"Companies need to get into the mindset of a bad guy and stop ticking the audit boxes, as its proven these don’t make you more secure. Start giving your organisation a thorough assessment, not just IT but any vector that a bad guy might exploit, and if you don’t know them, engage people that do.
"Ask yourself the simple questions, what is a bad guy after and how will he get it – production data sat in a development environment, a backup tape or an older platform? By doing this you can uncover vulnerabilities that you never thought were there, and hopefully stop breaches like this from ," he added.
Peanuts for customers
Ken Spinner, VP of Field Engineering at Varonis, also criticised Orbitz' response to the breach, stating that the consolations it offered to affected customers are entirely inadequate.
“Every time a major consumer brand reports a data breach, consumers are left holding a crummy consolation prize – typically a year’s worth of free credit monitoring and an emailed apology. It’s entirely inadequate for exposing valuable consumer and payment data for, in this case, close to two years.
"If someone broke into your house and walked off with your TV one day and your sofa the next, you would probably catch on quickly and install an alarm or get a dog to scare away intruders. Yet no one at Orbitz spotted critical data leaving their network for close to two years.
"Consumers are placing their personal information into the hands of companies that are simply failing to watch over and protect it from criminals. It’s shocking that given all the exposure and bad press from recent breaches it took Orbitz so long to notice anomalies on one of their legacy platforms and failed to lock it down. Companies will continue to drop the ball unless they’re finally held accountable," he said.