Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Communications Network Privacy The Internet

Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards (usnews.com) 29

hyperclocker shares a report from U.S. News & World Report: Orbitz says a legacy travel booking platform may have been hacked, possibly exposing the personal information of people that made certain purchases between January 1, 2016 and December 22, 2017. Orbitz said Tuesday about 880,000 payment cards were impacted. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender. The company said evidence suggests an attacker may have accessed information stored on the platform -- which was for both consumers and business partners -- between Oct. 1, 2017 and Dec. 22, 2017. "Orbitz said it worked with a forensic investigation firm, cybersecurity experts, and law enforcement once the breach was discovered in order to 'eliminate and prevent unauthorized access to the platform,'" reports The Verge. "The company also notes that its current site, Orbitz.com, wasn't affected. It is notifying customers who may have been impacted and is offering a year of free credit monitoring."
This discussion has been archived. No new comments can be posted.

Orbitz Says Legacy Travel Site Likely Hacked, Affecting 880,000 Credit Cards

Comments Filter:
  • by El Cubano ( 631386 ) on Tuesday March 20, 2018 @07:18PM (#56294505)
    One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.
    • by mjwx ( 966435 )

      One year credit monitoring is a joke. Seriously, in this day and age who still has not frozen there credit? Equifax now offers it for free after their breach and the other two (TransUnion and Experian) are just a few bucks. Depending on what state you live in you might even be able to freeze your credit for free depending on the law there.

      Actually the storing of card information, especially in an unencrypted or easily decrypted format is the joke here. If sites didn't store card information then we wouldn't have so much need for credit monitoring or so many freezes.

      • True, this is possibly a PCI compliance violation. PAN should be encrypted sufficiently to defeat realistic threats. Preventing acquisition isn't the standard.

  • by jhecht ( 143058 ) on Tuesday March 20, 2018 @07:40PM (#56294621)
    Bought an airline ticket from Orbitz Sept 2016, got hacked around Dec 1, 2017. So I'd say it not just "may have accessed."
  • Too many people are collecting data they don't need in the name of convenience and travel is at the top of the list. Losing the credit card details are trivially corrected; report it lost, new card, new number. But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix). The other details that can't be trivially changed, like your date of birth, shouldn't be a
    • by ShanghaiBill ( 739463 ) on Tuesday March 20, 2018 @08:51PM (#56294907)

      But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).

      This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.

      People that suffer from CC fraud:
      1. End users
      2. Merchants

      People that have the power to fix the problem:
      1. Banks

      Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.

      • by mjwx ( 966435 )

        But even then they shouldn't be storing that stuff by default, but rather because the customer flies that often and has insisted they keep it or has enrolled in some kind of subscription model (like Netflix).

        This is partly because of the stupidity and apathy of the banks. Immediately after the first transaction, they could give the merchant (Orbitz in this case) a token for repeated transactions, that could only be used by that merchant. Then the merchant would only need the last 4 digits (to confirm the CC # with the customer), and would have no need to store the other digits.

        People that suffer from CC fraud:
        1. End users
        2. Merchants

        People that have the power to fix the problem:
        1. Banks

        You're correct up to here.

        Please note that these are disjoint sets. Banks actually profit from fraud because they can charge $30 for every chargeback, which costs them $0 to process. They have no incentive to fix the system.

        Banks actually lose money on fraud. You cant do a chargeback to a fake merchant set up in some shithole where criminals are pretty much permitted to get away with murder so long as they remain in a certain Vlad's favour. As soon as the first chargeback comes in, the merchant account is shuttered with the money already moved to other accounts and the start the whole thing over again with a new merchant account.

        How banks make money is by skimming a few percent of every transaction

        • In every way banks lose due to fraud. Think of it this way:

          Your card data is used to purchase $30 of goods. Fraud is reported:

          - Bank pays merchant as fraud isn't yet reported.
          - Call or web site reporting the fraud. This has a cost.
          - Reimbursement or suspense of charge to card holder, net revenue is now negative, you cannot recover payment to merchant.
          - If merchant complied with standards, reimbursement is complete, or the chargeback is reversed, more costs.

          That $30 charge will require $1000 in charges to r

  • by SuperKendall ( 25149 ) on Tuesday March 20, 2018 @08:42PM (#56294877)

    Data from 2015/2016? Essentially worthless by now as those same numbers have been leaked/stolen many times over at this point.

    See? There's a benefit to rampant corporate insecurity!

  • by Anonymous Coward

    But why?

  • I can't help feeling that Orbitz is being deliberately obscure.

    Is this a platform under the orbitz.com domain? Was it under a different domain? And why "a legacy"? Have they had a multitude of booking platforms?

    • That's what I want to know. If it wasn't Orbitz.com, what was it? Was it the 'old' orbitz.com before they were bought by Expedia? When were they bought by Expedia? My wife said, "Why do they call it Legacy, is it for old people?"

  • "Orbitz says a legacy travel booking platform may have been hacked .. Data that was likely exposed includes name, payment card information, date of birth, phone number, email address, physical and/or billing address and gender"

    I have a good idea, why not store the customer data in an encrypted form on the booking platform. That way, in the event Orbiz gets hacked, no customer information.

If all else fails, lower your standards.

Working...