Orbitz Worldwide LLC and Expedia Inc. will pay $110,000 to settle a Pennsylvania investigation into a 2018 data breach that may have exposed 880,000 payment cards worldwide.
The settlement is the latest in a series of actions by state attorneys general to hold a company accountable for data security and privacy practices in the wake of high-profile breaches.
Orbitz misrepresented safeguards for customer data in its privacy policy, Attorney General Josh Shapiro (D) alleged in a Dec. 13 statement announcing the settlement. Orbitz also allegedly failed to comply with Expedia’s data security policies and didn’t follow payment card industry standard practices, according to the settlement. Expedia bought Orbitz in 2015.
“The breach showed the company’s promise to keep customer information secure was more like a leaky boat,” Shapiro said. He alleged Orbitz violated the state’s unfair trade practices and consumer protection law.
Expedia didn’t immediately respond to a request for comment.
Orbitz in January 2018 determined a hacker used malware to target payment card information on a business partner’s portal, according to the settlement. Orbitz later found the hacker likely accessed more payment card data through its legacy platform.
Expedia and Orbitz have agreed to adopt an information security program on Orbitz’s website and conduct annual risk assessments, among other new security practices, according to the settlement.
To contact the reporter on this story:
To contact the editor responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.