HARRISBURG – Attorney General Josh Shapiro today announced his office has reached a settlement with travel websites Orbitz and Expedia following an investigation into a 2018 data breach. Orbitz disclosed in March of that year that the breach may have exposed data for 20,755 Pennsylvania customers, including 880,000 payment cards globally. Expedia acquired Orbitz and its assets in September 2015.
The Attorney General’s investigation found a hacker had circumvented security detection and built malware that targeted payment cards. Orbitz was also notified by a business partner of possible common point of purchase in connection with fraudulent transactions.
“Just like that, someone broke into Orbitz’ IT system and vacationed in what was supposed to be a safe place for travelers. The breach showed the company’s promise to keep customer information secure was more like a leaky boat,” Attorney General Josh Shapiro said. “We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself.”
The Assurance of Voluntary Compliance, filed in Philadelphia County, alleges Orbitz violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by making misrepresentations in its customer-facing privacy policy about the safeguarding of its customer’s personal information and failing to fully implement Expedia’s company policies related to data security. In addition, multiple Payment Card Industry Data Security Standards requirements were not in place at the time of the breach.
Under the terms of the settlement, Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty. Expedia and Orbitz have also agreed to strengthen their security practices going forward, including:
- Implementing a comprehensive information security program on the Orbitz website,
- Conducting annual comprehensive risk assessment,
- Developing a plan and program for designing, implementing, and operating safeguards,
- Performing regular security monitoring, logging and testing,
- Employing improved access control and account management tools,
- Reorganizing and segmenting its network, and
- Complying with Payment Card Industry Data Security Standards.
To better protect consumers’ personal data against identity thieves, these tips can minimize your odds of being victimized:
- Password protect all your electronic devices,
- Avoid using the same password for all your electronic devices and financial accounts,
- Avoid clicking on suspicious links in emails or text messages,
- Never give out your personal information to someone who calls you posing as a bank or credit card company employee—legitimate organizations do not call and ask for personal information,
- Regularly check your credit reports, and
- Establish fraud alerts.
The Orbitz and Expedia investigation was led by Deputy Attorney General Timothy R. Murphy.
# # #