Dive Brief:
- On Tuesday, Orbitz announced a malicious actor accessed personal information on the company's partner and consumer platforms as early as 2016, according to an email statement provided to CIO Dive. Approximately 880,000 payment cards may have been impacted, as well as a variety of PII including birth dates, phone numbers, gender, addresses and names.
- The Expedia-owned travel booking platform discovered the breach on March 1, brought in third parties to aid with investigation and remediation and notified law enforcement, according to the statement. Amex Travel Representatives and Amextravel.com were affected by the attack, according to a company announcement.
- The company is offering one year of credit monitoring and identity protection services to affected customers and offering customer notice support for business partners.
Dive Insight:
So far, Orbitz appears to have followed proper disclosure and follow up protocols in a timely fashion. Whether its security practices were up to par when the intrusion happened remains to be seen.
Coming off the tail of Yahoo's 2 billion and Equifax's almost 150 million affected consumers, 880,000 feels like a drop in the ocean. Hacking platforms with payment information is popular for malicious actors because the stolen information can be easily monetized.
There is the hope every subsequent breach will instill a little more caution, fear and attention into companies and security professionals.
But if one thing is certain, the attacks will keep coming and the breaches will keep happening and businesses need to make sure they have a recovery plan in place so that, like Orbitz, they can investigate, report and disclose in a matter of weeks, not months or years.
