The company said it turned up evidence earlier this month of the possible breach when investigating a "legacy" Orbitz platform.
Orbitz, which is owned by Expedia, says it has "identified and remediated a data security incident affecting a legacy travel booking platform".
According to the statement, the company found evidence in March that an attacker had access to the company's legacy systems between October and December past year. They determined that the attacker had access to it between October 1 and December 22, 2017, and may have stolen information stored on the system that was submitted by Orbitz customers between January 1, 2016 and June 22, 2016, as well as information submitted by "certain partners' customers" between January 1, 2016 and December 22, 2017. Orbitz doesn't have any "direct evidence" that such personal information was taken, nor does the company have any evidence that passport or travel information was accessed. Orbitz said it's notifying customers and business partners about the incident and is offering a year of free credit monitoring.
Expedia Inc.'s (NASDAQ: EXPE) subsidiary, Orbitz disclosed on Tuesday a possible data breach that affected almost up to 880,000 credit cards used on the website.
It was already one of the worst weeks for revelations of data breaches.
PS: Active.com has admitted today it was hacked, with names, addresses, email addresses, credit or debit card numbers, expiration dates, and cardholder verification codes entered into its network of websites lifted by miscreants between December 2016 and September 2017.
The company says it's working with an unnamed, digital forensic investigation firm to investigate the breach, and that it's notified law enforcement agencies.
The company said Tuesday about 880,000 payment cards were impacted.
Expedia acquired Orbitz, a rival travel website, back in 2015 in a $1.6 billion deal.