by Michael J. Shapiro | March 20, 2018

A 2017 security breach on an Orbitz platform put personal information from 880,000 payment cards at risk, according to the online travel agency, which revealed the incident today. The breach occurred on a legacy platform, and does not affect the current site.

Orbitz uncovered the issue this past March 1, but the unauthorized access possibly occurred between Oct. 1 and Dec. 22 last year. The consumer-platform breach affects purchases made between Jan. 1, 2016, and June 22, 2016; the partner-platform data corresponds to purchases made for a nearly two-year period, from Jan. 1, 2016, through Dec. 22, 2017. 
Orbitz has been working with a third-party forensic-investigation firm, law-enforcement and various cybersecurity experts to prevent any further unauthorized access and to investigate the breach. At this point, they haven't uncovered evidence that any personal info was actually taken - but hackers very likely accessed full names, payment-card info, dates of birth, phone numbers, email addresses, physical and/or billing addresses, and gender. 
There isn't any evidence that hackers accessed other types of personal info, including passport numbers or travel itineraries. And U.S. Social Security numbers were not involved because they were never collected or stored on the platform.
Orbitz currently is notifying all affected customers and partners, and offering them one year of complimentary credit monitoring and identity protection in countries where that is available. The online travel agency also is offering partners complimentary customer-notice support for their customers if necessary.
"Ensuring the safety and security of the personal data of our customers and our partners' customers is very important to us," an Orbitz spokesperson said in a statement. "We deeply regret the incident, and we are committed to doing everything we can to maintain the trust of our customers and partners."

Orbitz customers with questions can consult or call 1-855-828-3959 toll-free in the U.S. or 1-512-201-2214 from international numbers.

In a statement on the incident, American Express said its Global Business Travel and American Express platforms were not compromised, even though the attack involved an Orbitz platform that is the underlying booking engine for and travel booked through Amex Travel Representatives. Amex continued: 
American Express monitors its card-member accounts for unusual activity and will be elevating fraud monitoring for those accounts that might have been impacted by the Orbitz attack. American Express will be reaching out to its impacted travel customers to provide additional information and support, including two years of complimentary credit monitoring and identity-protection services. 
As always, American Express encourages customers to monitor their card accounts, and if they see any suspicious activity, immediately contact the number on the back of their card. Card members can enroll for alerts that will notify them of potentially fraudulent activity at or through the settings on the American Express smartphone app. Notifications can be received via text messages, through push notifications via the smartphone app and email. Customers can also call the number on the back of their cards for additional support or information.