Digital Transactions Authoritative, insightful and timely information for payments professionals
Another day, another data breach. But each one has lessons for the payments industry, and that includes the breach disclosed Tuesday by online travel-services provider Expedia Inc.’s Orbitz subsidiary.
Hackers accessed one of Orbitz’s older systems and thereby may have exposed 880,000 payment card numbers on file, according to press reports. The breach occurred from last October through most of December, but the affected cards were used in 2016 and most of 2017. Orbitz said it discovered the breach March 1.
The cards on file were used to book travel through Orbitz or through sites that use its platform, including the American Express Co.-affiliated Amextravel.com. Also exposed were customer names, addresses, and birthdays.
One fairly obvious lesson from the Orbitz breach, according to experts, is that online and other card-not-present merchants better be prepared for more fraud attempts as e-commerce and mobile commerce grow, and the proliferation of EMV chip cards in the U.S. reduces hackers’ opportunities for counterfeit fraud at the physical point of sale.
“The breach isn’t unusual, it is a harbinger,” Al Pascual, senior vice president and head of fraud and security at Pleasanton, Calif.-based Javelin Strategy and Research, says by email. “Consider that CNP fraud is on the rise, and if that is to continue then fraudsters are going to need more data. Not to say it is okay or that we should be complacent, but we should expect that breaches of online merchants will become more regular.”
Another lesson is the risk breached entities present to partners such as AmEx, Julie Conroy, research director at Boston-based Aite Group LLC, tells Digital Transactions News by email. “While this reinforces the need for all businesses to have a thorough vetting of their partners’ data-security controls, the reality is that the cyberthreat landscape is moving so fast that it’s hard for even the large and sophisticated firms to keep pace,” she says. “The only data beyond attackers’ reach is the data that has been devalued through tokenization and encryption technologies.”
AmEx issued a statement saying the Orbitz incident “was not an attack on, and did not compromise, American Express Global Business Travel or the American Express platforms that cardmembers use to manage their American Express card accounts.” The company said it will step up fraud monitoring of accounts that might have been affected by the attack, and that it “will be reaching out to its impacted travel customers to provide additional information and support, including two years of complimentary credit monitoring and identity-protection services.”
Willy Leichter, vice president of marketing at San Jose, Calif.-based security technology firm Virsec Systems Inc., says in an email that it’s “unsettling” that data were stored on a so-called legacy Web site. “That makes it sound like it’s okay to neglect security on older systems while you focus on your latest, coolest apps,” he says. “If it’s a public-facing Web site with real data, it’s not legacy—it’s live, and a real liability.”
