Expedia said it has taken action to enhance security after disclosing that its Orbitz brand suffered a data breach involving the payment details of 880,000 customers.
Orbitz disclosed the data breach, revealing it involved records over a two-year period dating back to between January 2016 and December 2017, and to an older version of the Orbitz.com website.
The breach also affected an Orbitz business partner whose identity was not made public. The company said hackers were likely to have been able to access customers’ names, dates of birth, email addresses, street addresses and genders.
However, it said there was no evidence that US social security numbers, travel itineraries or passport details were compromised.
Customers have been advised to check their credit and debit card statements and Orbitz has offered victims free credit-monitoring for a year.
Orbitz said the breach was discovered on March 1.
The company said it “deeply regret the incident”. In a statement, it said: “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform.”
Expedia bought Orbitz in 2015 for $1.6 billion following the $280 million acquisition of US online travel agent Travelocity, former parent of lastminute.com, in the same year.
Orbitz was initially set up by a consortium of US airlines to sell flight tickets online, in the same way that Opodo was established in Europe.