[BreachExchange] Attorney general announces settlement with travel websites after data breach

[Destry Winant]

https://www.timesonline.com/news/20191213/attorney-general-announces-settlement-with-travel-websites-after-data-breach

Attorney General Josh Shapiro announced Friday his office reached a
settlement with travel websites Orbitz and Expedia after an
investigation into a 2018 data breach.

Attorney General Josh Shapiro announced Friday his office reached a
settlement with travel websites Orbitz and Expedia after an
investigation into a 2018 data breach.

Orbitz disclosed in March 2018 that the breach may have exposed data
for 20,755 Pennsylvania customers, including 880,000 payment cards
globally. Expedia acquired Orbitz and its assets in September 2015.

The investigation found a hacker had evaded security detection and
built malware that targeted payment cards. A business partner of
Orbitz notified the company of possible common point of purchase in
connection with fraudulent transactions, according to a press release.

“Just like that, someone broke into Orbitz’s IT system and vacationed
in what was supposed to be a safe place for travelers. The breach
showed the company’s promise to keep customer information secure was
more like a leaky boat,” Shapiro said in a release. “We work every day
to protect Pennsylvania consumers and to seek justice when any company
misrepresents itself.”

The Assurance of Voluntary Compliance alleges Orbitz violated
Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by
making misrepresentations in its customer-facing privacy policy about
the safeguarding of its customer’s personal information and failing to
fully implement Expedia’s company policies related to data security,
according to the release. In addition, multiple Payment Card Industry
Data Security Standards requirements were not in place at the time of
the breach.

Expedia and Orbitz will pay $110,000, which includes an $80,000 civil
penalty. Expedia and Orbitz have also agreed to strengthen their
security practices by doing the following:

‒ Implementing a comprehensive information security program on the
Orbitz website.

‒ Conducting annual comprehensive risk assessment.

‒ Developing a plan and program for designing, implementing and
operating safeguards.

Click to find out more about a new promotion

‒ Performing regular security monitoring, logging and testing.

‒ Employing improved access control and account management tools.

‒ Reorganizing and segmenting its network.

‒ Complying with Payment Card Industry Data Security Standards.

To better protect consumers’ personal data against identity thieves,
Shapiro’s office suggests the following tips to minimize your odds of
being victimized:

‒ Password protect all your electronic devices.

‒ Avoid using the same password for all your electronic devices and
financial accounts.

‒ Avoid clicking on suspicious links in emails or text messages.

‒ Never give out your personal information to someone who calls you
posing as a bank or credit card company employee — legitimate
organizations do not call and ask for personal information.

‒ Regularly check your credit reports.

‒ Establish fraud alerts.