Breach costs businesses $110,000
The state Attorney General’s Office reached a settlement with a pair of travel websites whose data was breached last year.
A settlement was reached with Orbitz and Expedia following an investigation into the 2018 data breach by Attorney General Josh Shapiro’s office.
Under the terms of the settlement, Expedia and Orbitz will pay $110,000, which includes an $80,000 civil penalty.
Expedia and Orbitz have also agreed to strengthen their security practices going forward.
“The breach showed the company’s promise to keep customer information secure was more like a leaky boat,” Shapiro said. “We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself.”
Orbitz disclosed in March 2018 that the breach might have exposed data for 20,755 Pennsylvania customers and 880,000 payment cards globally.
Expedia acquired Orbitz and its assets in September 2015.
The investigation, led by Deputy Attorney General Timothy R. Murphy, found a hacker had circumvented security detection and built malware that targeted payment cards.
The Assurance of Voluntary Compliance, filed in Philadelphia County, alleges Orbitz violated Pennsylvania’s Unfair Trade Practices and Consumer Protection Law by misrepresenting its customer-facing privacy policy regarding the safeguarding of its customers’ personal information, and failing to fully implement Expedia’s company policies related to data security.
In addition, multiple Payment Card Industry Data Security Standards requirements were not in place at the time of the breach.
