Orbitz investigates security breach

October 28, 2003

By Alorie Gilbert, CNET News.com


Online travel agency Orbitz has notified law enforcement authorities about a recent security breach that has resulted in its customers' e-mail addresses falling into the hands of spammers, an Orbitz representative confirmed Tuesday.

"A small number of customers have informed us that they have received spam or junk e-mail from an unknown party that apparently used unauthorized and/or illegal means to obtain their e-mail addresses used with Orbitz," spokeswoman Carol Jouzaitis said in a statement. "There is no evidence that customer password or account information has been compromised."

Orbitz found no indication that credit card information had been compromised, Jouzaitis added.

Orbitz became aware of the problem "in the last day or so," Jouzaitis said.

The Chicago-based company has informed the FBI of the information leak and has launched its own internal investigation with a team of security experts, said Jouzaitis.

"We will aggressively pursue all individuals who may have been involved," Jouzaitis said in her statement. She declined to provide any further information on the nature of the breach.

Orbitz' privacy policy states that the company does not disclose customers' personal information, including e-mail addresses, to third-party advertisers unless customers authorize it to do so. The company says that permission process is separate from any permissions customers provide during the registration process.

One CNET News.com reader said spam messages began trickling in on Sunday to an e-mail address that the reader had given only to Orbitz. The offending e-mail was completely unrelated to Orbitz or airline travel, the reader said.

"I did not give them permission to share my personal data, and I did opt out of receiving their ads during the registration process, as I always do," said the reader, who wished to remain anonymous. "Plus, they already admitted in their e-mails to me that they are aware that there was a problem and that my info should not have been divulged--now the question is: What happened and how severe of a problem is it?"

Several other apparent Orbitz members aired similar complaints about Orbitz and spam on Google's Usenet discussion forum and on the BroadbandReports.com discussion board on Monday.

main page ATTRITION feedback