20K Pennsylvanians Targeted In Travel Website Data Breach

Pennsylvania officials have reached a settlement with travel websites Orbitz and Expedia following a data breach that impacted more than 20,000 Pennsylvanians.

The Pennsylvania Attorney General’s office investigated the 2018 data breach, determining that a hacker had circumvented security detection and built malware that targeted payment cards.

“Just like that, someone broke into Orbitz’ IT system and vacationed in what was supposed to be a safe place for travelers. The breach showed the company’s promise to keep customer information secure was more like a leaky boat,” Attorney General Josh Shapiro said in a statement.

Orbitz violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by making misrepresentations in its customer-facing privacy policy about the safeguarding of its customer’s personal information and failing to fully implement Expedia’s company policies related to data security, the Attorney General's office said.

Additionally, Multiple Payment Card Industry Data Security Standards requirements were not in place at the time of the breach.

Under the terms of the settlement, Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty.

Expedia and Orbitz have also agreed to strengthen their security practices going forward, including:

• Implementing a comprehensive information security program on the Orbitz website,
• Conducting annual comprehensive risk assessment,
• Developing a plan and program for designing, implementing, and operating safeguards,
• Performing regular security monitoring, logging and testing,
• Employing improved access control and account management tools,
• Reorganizing and segmenting its network, and
• Complying with Payment Card Industry Data Security Standards.

To better protect consumers’ personal data against identity thieves, the Attorney General offers these tips to minimize your odds of being victimized:

• Password protect all your electronic devices,
• Avoid using the same password for all your electronic devices and financial accounts,
• Avoid clicking on suspicious links in emails or text messages,
• Never give out your personal information to someone who calls you posing as a bank or credit card company employee—legitimate organizations do not call and ask for personal information,
• Regularly check your credit reports, and
• Establish fraud alerts.