Expedia-owned travel site Orbitz said Tuesday a possible breach of both its consumer and partner platforms may have led to the disclosure of 880,000 payment cards.

According to Expedia, criminals had access to Orbitz consumer and business partner platforms, but not the Orbitz.com website. The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacked between Jan. 1, 2016 and Dec. 22, 2017, according to Expedia.

Expedia said it was first made aware of a possible breach on March 1.

Compromised data may have included payment card information such as names, phone numbers, email and billing addresses. Passwords are notably absent from the list, pointed out Paul Bischoff, privacy advocate at Comparitech.

The company said in a statement to the media:

“To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information.”

Expedia stressed its own Expedia platform was not impacted. Expedia acquired Orbitz Sept. 2015, four months prior to the breach. Orbitz has not shared details regarding how the breach occurred; except for publicly stating the breach took place on one of its legacy systems.

Orbitz told Information Security Media Group that no U.S. consumer data was part of the 880,000 cards possibly stolen.

“The first rule in every publicly announced incident is that there’s always more to learn. I’m sure that there are more details about this incident that will shed additional light on the root causes and consequences,” said Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire.

It’s unclear how the data was breached, or if it was, based on what Expedia is sharing publicly. It’s also plausible the data was exposed because of a misconfigured storage container that allowed a third-party access to Orbitz data. The past 12 months has seen a spate of hackers targeting misconfigured AWS, MongoDB and CouchDB databases and Elasticsearch storage repositories. As of September 2017, IBM X-Force estimates 1.3 billion records tied to just 24 incidents involving unsecured private data stores have been exposed to the public internet via misconfigured servers.

The hospitality sector has also been a popular target for criminals such as Carbanak cybercrime gang. Criminals behind Carbanak are best known for allegedly stealing $1 billion from financial institutions worldwide. Researchers say the group has shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!