Orbitz Data Breach Affects Almost 900,000 Consumers
Orbitz announced today that hackers accessed customer data including credit cards submitted to one of their websites between January 2016 and June 2016 and data on an Orbitz partner web site between January 2016 and December 2017 – two years worth of data. They estimate it to be around 880,000 cards, but they, apparently, don’t really know.
They also say that they don’t think that Social Security numbers, passports and itinerary info was accessed. At least they don’t think so at this point.
Information that was accessed includes names, credit cards, birth dates, phone numbers, emails, physical and billing addresses and gender info.
But they don’t really know.
It seems like they don’t know much of anything.
Other than “Ensuring the safety and security of the personal data of our customers and our partners’ customers is very important to us”.
Orbitz, a division of Expedia, say that they enhanced their security right away after they discovered the breach. Nice, but their timing is a bit off.
Okay, so now that I beat them up, what should you do?
First, that answer depends on whether you are a web site operator or a consumer.
For the consumer, it is easier – almost all credit, debit and bank account providers can text you if your card or account is used. You will receive the text within seconds. SET THIS UP. It is free.
If your bank or credit card company is one of the very few that don’t offer this, move. Seriously. It is that much of a game changer.
If you can detect credit card fraud in seconds, you have completely neutered a hacker’s desire to steal or your your credit card. They are toast.
Most people don’t do this because, they figure, it is the bank’s problem or the credit card company’s problem. That is true, BUT ONLY FOR CONSUMERS. THIS IS NOT TRUE FOR BUSINESSES. But, the fraud raises the price on everything you buy by several percent. Get rid of the fraud and things could be less expensive. More importantly, it is a huge hassle to deal with the fraud. Avoiding it improves your sanity.
For web site operators, AKA business owners, there are many things you can do.
For credit cards, why are you storing credit card numbers at all. There is zero reason to do this other than laziness. Tokenizing the card numbers reduces the fraud risk to zero, reduces your liability and you can advertise that you don’t store customers credit card info. You can still do recurring credit card charges. If you don’t know how to do this, contact us for help.
Next, Expedia should be embarrassed beyond belief that they don’t know what was accessed and what was stolen. Logging of data access has become much simpler over the past few years. Step up the logging and keep the logs. And, figure out how to do the reporting on that data as well.
Next, figure out what data you really need to preserve. If you can delete it without affecting your business, delete it. What you don’t have cannot be stolen.
Detect the breach faster. While it appears that Expedia detected the breach after it was operating for only several months, could you detect it in one month? One week? One day? Yes, yes and yes, if your systems are designed right.
Finally, make sure that you have an incident response program tuned up and ready to go. Document it. Train people. Give them parachutes so they can parajump into the fray when needed. Social media will crucify you within a few hours of the public announcement of the breach. You better be ready to counteract that.
If you need help with this, please contact us.
Information for this post came from Engadget.
HI Mitch,
I’m interested in outside organizations to vet for my incident response plan. We are a mortgage company with 500 employees located in Ohio and DC area.
Side Note: I read your blog everyday, great information!