Expedia-owned travel site Orbitz said Tuesday a possible breach of both its consumer and partner platforms may have led to the disclosure of 880,000 payment cards.
According to Expedia, criminals had access to Orbitz consumer and business partner platforms, but not the Orbitz.com website. The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacked between Jan. 1, 2016 and Dec. 22, 2017, according to Expedia.
Expedia said it was first made aware of a possible breach on March 1.
Compromised data may have included payment card information such as names, phone numbers, email and billing addresses. Passwords are notably absent from the list, pointed out Paul Bischoff, privacy advocate at Comparitech.
The company said in a statement to the media:
“To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information.”
Expedia stressed its own Expedia platform was not impacted. Expedia acquired Orbitz Sept. 2015, four months prior to the breach. Orbitz has not shared details regarding how the breach occurred; except for publicly stating the breach took place on one of its legacy systems.
Orbitz told Information Security Media Group that no U.S. consumer data was part of the 880,000 cards possibly stolen.
“The first rule in every publicly announced incident is that there’s always more to learn. I’m sure that there are more details about this incident that will shed additional light on the root causes and consequences,” said Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire.
It’s unclear how the data was breached, or if it was, based on what Expedia is sharing publicly. It’s also plausible the data was exposed because of a misconfigured storage container that allowed a third-party access to Orbitz data. The past 12 months has seen a spate of hackers targeting misconfigured AWS, MongoDB and CouchDB databases and Elasticsearch storage repositories. As of September 2017, IBM X-Force estimates 1.3 billion records tied to just 24 incidents involving unsecured private data stores have been exposed to the public internet via misconfigured servers.
The hospitality sector has also been a popular target for criminals such as Carbanak cybercrime gang. Criminals behind Carbanak are best known for allegedly stealing $1 billion from financial institutions worldwide. Researchers say the group has shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.