On March 20, 2018, travel website Orbitz, an Expedia subsidiary, disclosed that 880,000 payment cards may have been exposed in a data breach. According to Orbitz, an attacker possibly accessed sensitive personal identifying information, which was stored on a legacy Orbitz travel booking platform.
Since discovering the possible attack, Orbitz has stated that it’s taken steps to monitor and better secure the legacy platform. Orbitz is also notifying customers and business partners who have may have been affected, and it’s offering some affected customers complimentary credit monitoring and identity protection services. As mentioned in past posts, however, complimentary services may not always provide everything you need. Read on to learn all about this breach and what consumers can do to protect themselves.
More about the Orbitz data breach
Signs of the possible breach were discovered during an investigation of the legacy platform, a consumer and business partner platform. While investigating the platform, on March 1, 2018, Orbitz determined that a breach likely occurred, and the news of the possible exposure was disclosed 19 days later on Tuesday, March 20. According to the company, the current Orbitz.com website was “not in any way involved in this incident.”
Evidence suggests that, between Oct. 1, 2017 and Dec. 22, 2017, an attacker may have accessed personal information through the legacy Orbitz travel booking platform. Specifically, the attacker had access to Orbitz platform customers’ information submitted for purchases made between Jan. 1, 2016 and June 22, 2016.
In addition, the personal information of some Orbitz partner customers may have been exposed. Orbitz serves as a booking engine for several travel websites, and Orbitz announced that it’s reaching out to potentially impacted business partners at this time. According to Orbitz, certain partners’ customers may have been affected. Specifically, those who’ve submitted personal information for purchases between Jan. 1, 2016, and Dec. 22, 2017 may be impacted.
While Orbitz hasn’t released a list of the exposed partners, one of its partners, American Express, has released a statement, saying that customers who’ve used AmexTravel.com or contacted AmexTravel representatives between Jan. 1, 2016, and Dec. 22, 2017 may have been impacted. Note that American Express Global Business Travel and “American Express platforms that card members use to manage their American Express card accounts” were not compromised, as noted in the statement. American Express will contact impacted customers to provide further assistance and information.
What information was exposed?
Customers’ personal information, including full names, payment card information, birth dates, phone numbers, email addresses, physical addresses, billing addresses and genders, may have been exposed in the Orbitz breach.
Based on Orbitz’s findings, as of now, other types of personal information, such as passport and travel itineraries, have not been exposed through this incident. Additionally, U.S. customers’ social security numbers were not leaked through this possible breach, since the legacy platform does not collect such numbers.
What is Orbitz doing to assist impacted customers?
In light of the Orbitz data breach, the company is currently offering impacted customers complimentary credit monitoring and identity protection services. If you receive a notice from Orbitz about your information being compromised, this complimentary coverage lasts for one year from the date of notification.
To learn more about these complimentary services provided through AllClear ID, we called the number noted on an Orbitz statement regarding the breach. Although we weren’t able to obtain much in-depth information about the services provided, the response time from the call center was quick. During our brief conversation, we found out that the complimentary services include all clear fraud alerts, immediate support from an investigator, phone alerts, lost wallet protection and identity theft insurance coverage.
Based on the conversation we had, the complimentary service also provides at least one free credit report and free credit score once yearly, but it was unclear if one credit report and credit score could be obtained from all three major credit bureaus or just one. As such, before you subscribe to the complimentary service, make sure to find out if AllClear ID will provide credit reports and scores from all three, since that can enable you to catch fraudulent activity sooner. Also, before you subscribe to the service, it may be helpful to find out the amount of identity theft monitoring that’s provided.
While we weren’t able to obtain much information on the extent of the services offered, when compared to other identity theft protection services, AllClear ID has not stacked up quite as well in the past. That said, we were pleased to note that it does now include Internet black market monitoring, a feature that all data breach victims need since that’s where information goes after a breach. Still, the importance of access to all three of your credit reports and scores (as well as continuous monitoring of all three by the service) is vital, which means it may make sense to opt for another identity theft protection service. Although you’ll likely have to pay a monthly fee (note that most services we review offer free trials), the extra protection you’ll receive will make it worthwhile. Identity Guard, our top-rated identity theft protection service, for example, is one service you might want to look into. This service offers three-bureau credit monitoring, and it will also engage in online black market monitoring, a vital service that assists you by monitoring black market websites, alerting you if your information pops up.
Interested in learning more about identity theft protection services? Take a look at our identity theft protection service reviews to see if one of these services is right for you.
More steps that you can take
To further protect yourself from the possible Orbitz data breach’s consequences, there are some other steps you can take to protect yourself.
Monitor your bank and credit card statements
Since your payment card information may have been exposed, you’ll want to pay special attention to your credit card and bank statements. This means you’re taking a deeper look at each and every item on your statements to confirm they’re legitimate. If you spot something that you don’t recognize, follow the steps listed on our guide here.
Change your passwords
Anytime a breach occurs, it’s a good reminder to change your password for your online accounts. Be sure you select a password that’s at least 8 characters long, choosing a combination of uppercase and lowercase letters, a number and a special character. Your password should also be free of personal identifiers, such as your birth date, and it may be a good idea to avoid using anything resembling the worst passwords from 2017.
Consider placing a fraud alert, credit freeze or credit lock
Considering that some personal information was leaked in this breach, it doesn’t hurt to take extra steps to also protect your credit by placing a fraud alert, credit freeze or credit lock on your account. When a lender requests your credit file, a fraud alert would indicate that you think you may be a victim of fraud and the lender would then take extra steps to verify your identity — note that some of the more unscrupulous or careless lenders might skip this step and approve the new account anyway. A credit freeze, on the other hand, locks your credit for a period of time, making it impossible for any new credit accounts to be opened in your name. Credit locks are special products that the credit bureaus recently started offering, and while they seem similar to credit freezes, it may be better to just opt for a credit freeze, for reasons explained here.
As the number of data breaches goes up, it becomes increasingly important to protect your credit and your identity. To stay on top of the news pertaining to this breach and others, keep up with our data breach alerts blog.