Expedia says it has taken action to enhance security after disclosing that its Orbitz brand had a data breach involving 880,000 customer payment details.
The breach involved records dating back to between January 2016 and December 2017 and an older version of the Orbitz.com website.
Expedia bought Orbitz in 2015 for $1.6 billion following the $280 million acquisition of another rival US OTA Travelocity, the former lastminute.com parent, in the same year.
Orbitz, which disclosed the data breach also affected a business partner whose identity was not made public, said hackers were likely to have been able to access customers’ names, dates of birth, email addresses, street addresses and genders.
The firm said there was no evidence that US social security numbers were compromised or travel itineraries or passport details.
Customer have been advised to check their credit and debit card statements and Orbitz has offered any victims free credit monitoring for a year.
Orbitz said the breach was discovered on March 1 and that it “deeply regret the incident”. “We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform,” the firm added.