GUEST ESSAY: How Orbitz’s poor execution of a systems upgrade left data exposed

In case you thought it had been a suspiciously long time since a massive data breach was announced, well, here you go. Just a couple of days ago, Orbitz (part of the massive travel conglomerate Expedia) revealed that during the second part of last year, the personal data of many of their users was breached.

And by “many,” I mean somewhere in the neighborhood of 880,000. And while Orbitz promises that Social Security Numbers were compromised, a lot of other data was: names, dates-of-birth, even email and street addresses. And, of course, credit card  information. Let’s not forget that.

Related podcast: Why 2018 will be the year of the CISO

Importantly, this was not a phishing attack. It was a system hack, and although the exact method is unknown, the hackers did target an older Orbitz platform (not, as well as a partner sites (separate occasions), and were able to access records still embedded in it. And unlike with Equifax, this also doesn’t appear to be a situation in which administrators followed blatantly terrible password security practices.

These data loss situations are always somewhat harder to assess, since they can’t be directly traced back to a clear and specific bad decision. They’re also harder to pass judgement on or attempt to provide solutions for, for the same reason. And yet, anytime this much data is exposed, there’s a serious issue. Something wasn’t adequately protected—someone wasn’t doing what they were supposed to do. It might not be a cut-and-dried situation of a user imprudently clicking a bad link or failing to change a major server password from the system default, but there’s something fishy at play. Let’s unpack it a little bit.


First, this breach was not discovered until years after it occurred. The hacks both occurred back in 2016, which means that compromised data was floating around, likely being used for nefarious purposes by hackers, for nearly two years before anyone would have any reason as to why. This should raise major red flags. The fact that it took so long for the hack to be discovered likely means that the servers the information was stolen from were not being properly monitored. Typically, IT professionals that are on their game discover those hacks while they’re still in progress—not two years too late.

Hacker’s playground

So why were the systems clearly not being properly monitored? Well, probably because they were what’s known as “legacy” systems—older servers that still store data but have been replaced by newer systems (in this case, probably In most cases, these systems are older and not very well-protected—and they’re certainly not going to be closely monitored for unusual activity the way current systems would be. At best, they’re certain to become an afterthought: while all of IT’s attention is focused on the current, busy server, what happens to the old one gathering dust? An idle computer is the hacker’s playground.

I think the problem here is rapidly coming into focus. If a system is old and weak enough that it’s being replaced by a new one, then either all data from it needs to be transferred off, or at the very least it needs to be carefully monitored to ensure that everything is safe. There is absolutely no excuse for leaving important data vulnerable. So while this may not have been a hack in which an individual was, directly and immediately responsible, some very poor decisions led to this breach.

And as for prevention? Obviously, if you’re the organization responsible for protecting this data, you need to implement proper firewalls and other system security measures, as well as ensure that IT professionals are consistently monitoring each and every data-holding system to guarantee its security. You should also be well-versed in privacy standards related to the data you’re storing.

Under the radar

Many privacy regulations—the far-reaching General Data Protection Regulation among them—have strict stipulations as to how long and for what reasons older data is supposed to be stored. And if you’re a data-holder, hold the organizations that might possess your personal information to a high standard for protecting it.

In a way, a non-phishing-related attack like this one makes a helpful point about cyber security: hacks are not always the result of a blatantly obvious, easily pinpointed attacks, an email virus that spreads like wildfire and infects an entire system. Sometimes they fly so under the radar that they’re not even discovered for a year, or two, or three afterward. This ought to spur us on to even greater awareness, even more caution, even sharper and better enforced training programs. After all—these things can happen when we least expect them, and without us even realizing…until it’s too late. And, evidently, the cost can be deadly.

(Editor’s note: Natalie Williams is a client relations specialist at Global Learning Systems who writes regularly on technology topics. This article also appeared on GLS’s training blog.)


This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog