orbitz site

Orbitz and Expedia Reach $110,000 Settlement with Pennsylvania AG Over 2017 Data Breach

The travel companies were fined for lax data security practices that potentially led to a breach affecting 880,000 payment cards globally.

  • By Haley Samsel
  • Dec 17, 2019

Travel websites Orbitz and Expedia have reached a settlement with the Pennsylvania attorney general’s office that concludes an investigation into a 2018 data breach, state Attorney General Josh Shapiro announced Friday.

Orbitz disclosed in March 2018 that a breach may have compromised data for 20,755 Pennsylvania users and up to 880,000 payment cards across the globe. Expedia has owned Orbitz and its assets since a sale in September 2015, according to the attorney’s office.

Shapiro and his team have fined the companies $110,000, including an $80,000 civil penalty, as punishment for lax data security policies that did not adequately protect customer information.

As part of the settlement, Expedia and Orbitz committed to strengthening their cybersecurity practices, including implementing a comprehensive security program on Orbitz’s website. In addition, the companies must conduct an annual comprehensive risk assessment, reorganize its network to be more segmented, and deploy better access control and account management tools.

“Someone broke into Orbitz’ IT system and vacationed in what was supposed to be a safe place for travelers,” Shapiro said in a statement. “The breach showed the company’s promise to keep customer information secure was more like a leaky boat. We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself.”

Shapiro’s settlement follows in the footsteps of other attorneys general who have gone after companies for data breaches in recent years. In July, all 50 state attorneys general declared victory after reaching a $650 million settlement with Equifax, the consumer reporting agency that suffered a 2017 breach affecting 147 million customers.

Orbitz, which did not provide comment on the sesttlement, first began to investigate a breach in 2017 after discovering that an older website, which hosted its travel rewards redemption service, and the platform of an unnamed business partner were breached, according to Fortune. The stolen information included names, dates of birth, email addresses and street addresses in addition to payment card information.

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

  • 5 Tips to Improve Your Password Security

    Change Your Password Day is right around the corner. Observed every year on February 1, the day aims to raise awareness about cybersecurity and underscores the importance of keeping passwords strong and up to date. Read Now

  • Enhancing Port Security

    DP World Yarimca, one of the largest container terminals of the Gulf of İzmit and Turkey, is a strong proponent of using industry-leading technology to deliver unrivaled value to its customers and partners. As the port is growing, DP World Yarimca needs to continue to provide uninterrupted operations and a high level of security.To address these challenges, DP World Yarimca has embraced innovative technological products, including FLIR's comprehensive portfolio of security monitoring solutions. Read Now

  • Hot AI Chatbot DeepSeek Comes Loaded With Privacy, Data Security Concerns

    In the artificial intelligence race powered by American companies like OpenAI and Google, a new Chinese rival is upending the market—even with the possible privacy and data security issues. Read Now

  • Survey: CISOs Increasing Budgets for Crisis Simulations in 2025

    Today, Cyber Performance Center, Hack The Box, released new data showcasing the perspectives of Chief Information Security Officers (CISOs) towards cyber preparedness in 2025. In the aftermath of 2024’s high-profile cybersecurity incidents, including NHS, CrowdStrike, TfL, 23andMe, and Cencora, CISOs are reassessing their organization’s readiness to manage a potential “chaos” of a full-scale cyber crisis. Read Now

Most   Popular

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.