Possible data breach at Orbitz affects 880,000 payment cards

The Expedia-owned travel booking site says personal information like names, birth dates and billing addresses may have been accessed.

Anne Dujmovic Former Senior Editor / News
Anne Dujmovic was a senior editor at CNET. Her areas of focus included the climate crisis, democracy and inclusive language. She believes in the power of great journalism and art, and the magic of tardigrades.
Expertise Editorial standards for writing about complex topics, from climate change to politics to misinformation. Credentials
  • Extensive journalism experience in digital media.
Anne Dujmovic
2 min read
Travelers line up at Atlanta's airport

Travel booking site Orbitz says the personal information of thousands of its customers may have been accessed. 

Tami Chappell / AFP/Getty Images

Travel booking site Orbitz said Tuesday that a possible security breach it discovered earlier this month may have exposed information tied to about 880,000 payment cards.

The company said the incident, discovered March 1, involved an older travel booking platform where information may have been accessed between October and December of last year.

Around 880,000 payment cards were affected. The attacker may have accessed personal information such as customers' full names, birth dates, phone numbers, email addresses and billing addresses. The company said it doesn't have "direct evidence" the information, tied to purchases made between January 2016 and December 2017, was taken from the site.

Last year was a big year for cybersecurity breaches, with credit monitoring firm Equifax reporting a data leak that hit around half the US population and Yahoo saying all 3 billion of its accounts were affected in a 2013 incident.

Orbitz said it worked with cybersecurity experts and law enforcement and "took swift action to eliminate and prevent unauthorized access to the platform" once it found evidence of a possible breach.

The company, which is owned by Expedia, said the current site, Orbitz.com, wasn't affected. Orbitz said it's notifying customers and business partners about the incident and is offering a year of free credit monitoring.

"Ensuring the safety and security of the personal data of our customers and our partners' customers is very important to us," the company said in a statement. "We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners."

 CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Rebooting the Reef: CNET dives deep into how tech can help save Australia's Great Barrier Reef.