Going after partners to get at card data
The breach at Expedia's Orbitz
not only jeopardized nearly 880,000 payment cards — it cast a spotlight on the weaknesses all companies expose themselves to when they partner with another brand.
Expedia was quick to issue a mea culpa, but that's likely little comfort to brands like Amextravel.com, the company's consumer travel portal, which partnered with Orbitz on the back end to serve business-travel customers. Amex may have had no hand in the breach, but it definitely took a reputational hit from the customers that it had to notify.
"[This is] more an example of the brand risk associated with relying on third-party providers," said Julie Conroy, a research director at Aite Group.
Expedia said the current Orbitz.com website was not involved — rather, the attack affected an older database that may have been accessed between October and December 2017. Orbitz partner data, booked through external sites such as Amex Travel between between Jan. 1, 2016, and Dec. 22, 2017, may have also been impacted.
The incident demonstrates that merchants face a greater burden to protect data that may be tainted from a prior breach at a third party. Retailers already lose about 8% of their annual revenue to costs associated with fraud, according to Javelin
, and more layers of security could cost more.
"While this reinforces the need for all businesses to have a thorough vetting of their partners’ data security controls, the reality is that the cyber-threat landscape is moving so fast that it’s hard for even the large and sophisticated firms to keep pace," Conroy said. "The only data beyond attackers' reach is the data that has been devalued through tokenization and encryption technologies."