Cyber Incident Victim: Orbitz Worldwide

In March 2018, Orbitz, a subsidiary of Expedia Inc., disclosed a cybersecurity incident potentially compromising approximately 880,000 payment cards. The breach was discovered in March 2018, prompting an investigation that identified two distinct exposure windows: unauthorized access to Orbitz’s partner platform occurred between January 1, 2016, and December 22, 2017, while its consumer platform was affected from January 1, 2016, to June 22, 2016. The compromised data included names, phone numbers, email addresses, and billing addresses associated with payment cards. Orbitz clarified that its primary website, Orbitz.com, remained unaffected, and no evidence suggested passport details, travel itineraries, or U.S. customers’ Social Security numbers were accessed. The company emphasized it lacked direct proof that attackers exfiltrated the exposed personal information but acknowledged the potential risk to payment card data. American Express confirmed its platforms were not compromised in the incident.

Orbitz addressed the breach upon discovery in March 2018, though specific technical containment measures were not detailed in the disclosure. The incident contributed to a 1.9 percent decline in Expedia’s stock price, falling to $108.99. This breach followed similar cybersecurity events in the travel sector, including attacks on InterContinental Hotels Group and Hyatt Hotels in the preceding year. No operational disruptions to Orbitz’s services were reported, and the company did not disclose whether law enforcement was involved or if regulatory penalties resulted. The disclosure focused on notifying affected customers and assuring stakeholders that core booking systems remained secure.