Orbitz has released details regarding a data breach. There are two different sets of dates relating to the breach:
- January 1st, 2016 and June 22nd, 2016 for the consumer platform
- January 1st, 2016 and December 22nd, 2017 for their partner platform
The Orbitz site itself was not affected, it was a legacy travel booking platform that was affected. That being said the attacker accessed the following customer data: names, date of birth, post and e-mail addresses, gender and payment card information. Social security numbers were not accessed and Orbitz stated that:
To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,
That doesn’t fill me with any sort of confidence given that’s what most if not all companies initially say after a data breach has occurred. Data breaches are all too common these days and I don’t believe the penalties align with the damage that can be done to individual consumers. If you think you might have been affected by this breach, we’d recommend reading this post on what to do. It provides information pertaining the Equifax data breach, but the steps you need to take are mostly the same.
https://orbitz.allclearid.com/additionalinformation.html
So, how do we know if we were impacted? I don’t get why they can’t make that clear… How do I know if travel I booked two years ago was involved with the legacy booking system? Looks like it’s best to sign-up for all-clear if in doubt, and let them cancel it if you are not affected. I rarely travel, so personally I think I am fine.
I just spoke to the dedicated phone line.
The agent said that all affected customers WILL receive an email or a letter in the mail.
She was not sure if they have been sent out or not. I have trusted ID from the Equifax breach.. don’t really want to sign up for another one.. All Clear ID .. so will wait to see if I receive a letter or email.
I received an email from AMEX saying that their AMEX travel website or phone booking systems are compromised because they used Orbtiz system platform. So most likely my information is already out there because I’ve used their website to book travels in the last few months using the business platinum card benefits.
there should be a consumer law passed that requires companies to pay people a fixed $ amount for breaches of unencrypted data. for example, each name/email = $10. CC = $50. SSN = $100, etc.
Security breaches will magically become way less common.
Waiting for more free credit monitoring services
You’re right – it does feel all too common. I wonder when the cost of a leak outweighs the cost of applying security a priori. Any thoughts to what kind of penalties you’d like to see, DOC?
Haven’t really thought about potential penalties, I’d like to see more criminal penalties when there is gross negligence or a cover up occurs as a start.