Names, addresses, phone numbers and e-mail addresses of Travelocity customers who participated in a promotion on its site were exposed. Travelocity executives closed the breach, which involved an insecure directory, on Monday afternoon after it was pointed out.
For more than a month, up to 51,000 names could have been exposed by the breach, said Jim Marsicano, executive vice president of sales and service for Travelocity. Blaming the problem on human error, Marsicano stressed that no customer order information was compromised by the security hole.
"We take this privacy thing very seriously," Mariscano said. But he added, "In this case, we didn't do what we were supposed to do."
Although Travelocity is still investigating the incident, Marsicano said that it stemmed from the transfer of the company's servers from San Francisco to Tulsa last month. As part of the move, some of the company's internal data from two promotional contests that ran last year was inadvertently left on a computer that is now being used as a Web server, he said.
"We had a weak link in this particular transaction and you see the end result," he said.
These kinds of breaches occur when a company gets complacent about security risks, said Richard Power, editorial director of the Computer Security Institute.
"This is an error (of) not dotting their I's or crossing their T's," Power said. "This is a situation where they are probably understaffed, or they haven't understood that they are at risk of somebody poking around."
Travelocity is only the latest site to compromise customer information.
Last month, a hacker broke into Egghead.com, potentially exposing its 3.7 million customer accounts. Weeks later, the company said the hacker didn't gain access to any of the credit card numbers it had on file, but by then many of the credit cards had been canceled by banks or worried customers.
An e-commerce executive, who asked to remain anonymous, reported the security hole to CNET News.com on Monday. The insecure directory allowed anyone to see the customer data without a password.
Travelocity's Web site assures customers of the site's security, saying it uses "the latest encryption technology to ensure that every transaction is safe." The company said it encrypts all personal information after it is entered and transmits the encrypted information over the Internet to a secure server, where it is translated back to its original form and stored in an offline database.
Simple errors like the Travelocity breach have happened all too frequently, said Jason Catlett, president of the spam-fighting group Junkbusters. They stem from companies not devoting enough financial resources and technical expertise to addressing security issues, he said.
"Of course these mistakes shouldn't happen," Catlett said. "There's a rush to be first with a new feature and to get the promotion running rather than making sure all of the doors are locked before they open the front gate."