Expedia Inc-owned Orbitz has disclosed today evidence of a security breach that impacted approximately 880,000 customers.
According to Expedia, the incident was discovered while the company was investigating a related issue on the Travelocity Partner Network legacy platform, which lives in the same environment as Orbitz.
In a document obtained by PhocusWire from RBC Royal Bank, a similar data breach around the same time also affected customers on the RBC travel rewards redemption platform operated by Travelocity.
Subscribe to our newsletter below
When reached for comment about Travelocity, Expedia says: "We don’t comment on specific partner engagements but I can confirm there is more than one partner impacted by this incident."
Expedia says on March 1, 2018, it determined the Orbitz hack, in which an attacker may have accessed personal information stored on its consumer and business partner platforms between October 1 and December 22, 2017.
The information leaked – from certain purchases on the Orbitz customer platform between January 1 and June 22, 2016, and from its partner platform between January 1, 2016, and December 22, 2017 - likely includes full name, payment card information, date of birth, phone number, email address, billing address and gender.
According to the RBC document, the Travelocity incident potentially affected payment card information used to book travel using the RBC Travel Rewards website between October 3 and December 22, 2017 – the same time frame as the alleged Orbitz hack.
Regarding the Orbitz matter, Expedia says that, to date, it does not have “direct evidence that personal information was actually taken from the platform,” and the investigation “has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information.” The company says Social Security numbers were not involved in the incident, and the current Orbitz.com website was not affected.
“Ensuring the safety and security of the personal data of our customers and our partners’ customers is very important to us. We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners,” Expedia says in a statement.
“We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary.”