The breach at Expedia's Orbitz not only jeopardized nearly 880,000 payment cards — it cast a spotlight on the weaknesses all companies expose themselves to when they partner with another brand.
Expedia was quick to issue a mea culpa, but that's likely little comfort to brands like Amextravel.com, the company's consumer travel portal, which partnered with Orbitz on the back end to serve business-travel customers. Amex may have had no hand in the breach, but it definitely took a reputational hit from the customers that it had to notify.
"[This is] more an example of the brand risk associated with relying on third-party providers," said Julie Conroy, a research director at Aite Group.
Expedia said the current Orbitz.com website was not involved — rather, the attack affected an older database that may have been accessed between October and December 2017. Orbitz partner data, booked through external sites such as Amex Travel between between Jan. 1, 2016, and Dec. 22, 2017, may have also been impacted.
The incident demonstrates that merchants face a greater burden to protect data that may be tainted from a prior breach at a third party. Retailers already lose about 8% of their annual revenue to costs associated with fraud, according to Javelin, and more layers of security could cost more.
"While this reinforces the need for all businesses to have a thorough vetting of their partners’ data security controls, the reality is that the cyber-threat landscape is moving so fast that it’s hard for even the large and sophisticated firms to keep pace," Conroy said. "The only data beyond attackers' reach is the data that has been devalued through tokenization and encryption technologies."
At Orbitz, the attacker had access to stolen names, payment card information, date of birth, phone number, email address, billing address and gender. Social Security numbers were not involved in the incident, according to Expedia, which added that there's no evidence that actual travel itineraries were stolen. Amex noted the attack did not compromise American Express Global Business Travel, and said it would monitor account for future unusual activity and elevate fraud monitoring for accounts that may have been impacted by the Orbitz attack.
Amex and Expedia did not return requests for comment, though both issued general statements.
There is some good news. First, it appears Expedia and Orbitz reported the incident relatively quickly. In an email, Willy Leichter, vice president of marketing for Virsec, said the announcement came within three weeks of discovery — much faster than the major breaches at Equifax and Uber.
But the availability of data on an older system is "unsettling," Leichter said. "That makes it sound like it's OK to neglect security on older systems while you focus on your latest, coolest apps. If it's a public-facing website with real data, it's not legacy. It's live and a real liability."
That means that payment companies, processors, acquirers and merchants are also using this "legacy" system by extension, since the data exposure follows the card downstream, exposing the cardholders to threats that may linger indefinitely. The Equifax breach had little to do with active spending, but that's where the stolen data may wind up, for years to come.
"The individual or group that executes the actual data theft isn't the same group that directly monetizes that data," said Tim Erlin, vice president of product management and strategy at Tripwire. "They're likely to sell the data to other parties, who may sell it again before someone actually uses the stolen card numbers or commits identity theft."
E-commerce is at particular risk, according to Erlin. "The days of manufacturing counterfeit physical cards have been largely curtailed with the advent of EMV cards that are harder, though not impossible, to duplicate."
Card not present transactions should require a Card Verification Value, which is printed on the physical card. That should make fraudulent card not present transactions difficult, but theory and practice don't always match, according to Erlin.
The card not present e-commerce environment of a company such as a travel booking site heightens the risk because of the critical mass of card data that's more lucrative for attackers, said Avivah Litan, a vice president at Gartner Research.
"[These] companies must employ a layered security approach to protect their customer data," Litan said. "The includes strong preventative controls on networks and endpoints, and rapid detection if and when attacks get trough."
That also includes encryption, tokenization and data access and behavior analytics. "The list goes on and on, and smart security means that not only technical controls are in place, but the people and processes to manage it are well tuned, proactive and responsive," Litan said.