Orbitz Says Names, Addresses, Dates of Birth, Payment Card Information Possibly Exposed

On March 20, 2018, Engadget reported (“Orbitz data breach exposed 880,000 payment cards”) that

Orbitz announced . . . that it has discovered evidence of a data breach, making it just another of the many companies recently afflicted. Between October and December of last year, hackers may have accessed consumer data submitted to a legacy website between January 1, 2016 and June 22, 2016. Additionally, Orbitz partner platform data submitted between January 1, 2016 and December 22, 2017 may also have been breached. The company discovered signs of the breach on March 1st and estimates that approximately 880,000 credit cards may have been impacted. (Emphasis added)

According to the statement provided by Orbitz about the data security incident:

What Happened?

While conducting an investigation of a legacy Orbitz travel booking platform (the “platform”), Orbitz determined on March 1, 2018 that there was evidence suggesting that, between October 1, 2017 and December 22, 2017, an attacker may have accessed certain personal information, stored on this consumer and business partner platform, that was submitted for certain purchases made between January 1, 2016 and June 22, 2016 (for Orbitz platform customers) and between January 1, 2016 and December 22, 2017 (for certain partners’ customers). Orbitz immediately began investigating the incident and made every effort to remediate the issue, including taking swift action to eliminate and prevent unauthorized access to the platform.

What Information Was Involved?

On March 1, 2018, Orbitz determined that the personal information that was likely accessed may have included full name, payment card information, date of birth, phone number, email address, physical and/or billing address, and gender.

What Information Was Not Involved?

Orbitz’ investigation to date has not found any evidence of unauthorized access to other types of personal information, including passport and travel itinerary information. Additionally, Orbitz can assure U.S. customers that Social Security numbers were not involved in this incident, as these are not collected nor held on the platform.

Orbitz Business Partners Impacted by the Data Breach Unknown

The Wall Street Journal reported (“Orbitz Discloses Possible Data Breach Affecting 880,000 Payment Cards”) that “Orbitz didn’t disclose which business partners were affected by the breach, but American Express Co. . . . said separately that travel booked through its representatives and through Amextravel.com had been affected by the cyberattack.” The Wall Street Journal also reported that “American Express said American Express Global Business Travel and the platforms that manage credit-card accounts weren’t impacted by the attack.” See also (“Orbitz Discloses Possible Data Breach Affecting 880,000 Payment Cards–Update”).

Consumers Whose Information May Have Been Compromised by the Orbitz Data Breach

If you have received a notice or otherwise believe that your personal information may have been stolen or compromised, please contact Michael Yarnoff, Esq., [email protected], (215) 792-6676, Ext. 804, complete the form above on the right or e-mail [email protected] for a free evaluation of your potential legal rights.

Kehoe Law Firm, P.C.