Travel booking site Orbitz said Tuesday that two years worth of customer credit card numbers and other PII was up for grabs after a hack that targeted a legacy system and website it no longer uses.
It estimates that 880,000 credit card numbers could have been taken between January and June of 2016, and all the way through December 2017 for travel partner websites which use Orbitz to power travel searches for their own customers.
Twitter is loaded with one-liners as news spread around the world in multiple languages. In general, those on Twitter seemed to be making light of the situation:
And then there is reaction from the tech sector.
Nathan Wenzler, Chief Security Strategist at AsTech, a security consulting firm, said: "Legacy systems are common attack points, as they are often neglected, go without updates or patches and are commonly not monitored, which gives criminals an ideal avenue to gain access and steal whatever data may be resident there. In this case, it was nearly 900,000 credit card accounts. Credit monitoring may be a nice PR gesture, but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data, no matter where it lives.”
AmexTravel issued a statement saying its customers had their data exposed for the maximum possible time in this case. The company uses Orbitz as its engine for travel bookings.
One last interesting note: So far, there is no social media firestorm like there was after the Equifax breach.
Mainly, Twitter users are just reporting on the breach instead of ranting against the company.
That has to warm the hearts of the Expedia marketing team. Expedia owns more than 200 travel booking sites around the world, including Orbitz.