Orbitz Hacked: Customer DOBs leaked thanks to DHS/TSA Secure Flight
 

https://www.usnews.com/news/business...-likely-hacked
https://www.theverge.com/2018/3/20/1...h-credit-cards

The compromised data would be much less useful to identity thieves if it did not include date of birth, which Orbitz is required to collect thanks to DHS/TSA "Secure Flight" requirements. DOB gives the thieves a much better chance of opening accounts in the victims' names. Thanks TSA. :(

I have little hope of this, but DHS/TSA should be a party to any lawsuits or other accountability actions taken against Orbitz for this breach.

I believe it is safe to say that FlyerTalk pundits predicted this would happen when airlines were first forced to gather so much personal information on travelers.

Storing superfluous unnecessary personally-identifying-information (PII) aggravates the severity of data breaches. Most reasonable organizations have policies to minimize PII collection/storage to the minimum necessary to complete a business purpose. Exact DOB would be irrelevant to booking/completing air travel if it weren't for DHS/TSA policy.

Sure, Orbitz is responsible for the data breach. But DHS/TSA architects of "Secure Flight" are responsible for sensitive information like DOB being stored at Orbitz.

(And in a perfect world, financial institutions wouldn't store DOB either. They would do whatever authentication they need/want to do when the customer signs up and then destroy the sensitive information and just keep an electronic indicator that the customer was authenticated. Companies will start learning these sorts of techniques over the next few years if they are held vigorously and expensively accountable for the impact of data breaches.)

Which business organization minimizes PII collection/storage while ignoring regulatory requirements applicable to their business?

I'm sure many HR departments would love to have employees working (business purpose) without having to handle the labor and taxation requirements and the PII involved. So I suppose if a HR file was breached, you would blame IRS/DOL for requiring employer to store/report SSN information to support income withholding?.

Meeting regulatory requirements is a part of doing business. If businesses can't meet regulatory requirements while keeping information safe, then they should get out of the industry they are in.

A note of reality to this discussion:

1) The notion that the Orbitz breach makes a significant dent in the total pool of identity information leaked online, is ridiculous. There have been so many breaches and leaks, that there are dark and regular web databases which contain 300 million plus identities including SSN, address, phone number, DOB and more (relatives/genealogy).
2) Regulatory requirements don't go anywhere close enough to requiring actual security. They introduce a bare minimum, is all.
3) And to be fair, a truly robust cyber security setup is both extra ordinarily expensive in absolute terms and requires significant management effort. I say in absolute terms because the cost is simply too unaffordable for SMBs but a pittance for large enterprises. The management effort is because large enterprises have the extra challenge of legacy systems and organizational disfunction.
4) Businesses at all levels are simply unaware of their cyber risk. Equifax, as far as I understand it, wasn't their core credit rating data but rather a customer service database which had been accumulating information for likely decades. How many CEOs think about the size of their customer service database? Equally, CISOs and security organizations are focused on the easily identifiable core assets - it is much more difficult to understand and mitigate the secondary and tertiary data repositories.

Orbitz may (or may not) have been minimizing PII collection but because they could not ignore regulatory requirements they were forced to collect DOB because of DHS/TSA.

I personally feel that employer storing/reporting SSN serves a completely legitimate purpose of enforcing properly legislated (even if controversial to some) income and payroll tax collection. So no, I would blame the company/HR.

I personally feel that DOB is irrelevant to traveling by commercial air because the entire underlying blacklisting mechanism is both unconstitutional, poorly-conceived, and security theater to mask TSA's ineptness at detecting weapons/explosives/incendiaries (TSA: "identity matters"). DOB collection is a band-aid to reduce bad-press of NFL matches that never would have happened if the government had not gone crazy adding tens of thousands of irrelevant names to the NFL. Or if DHS/TSA predecessors hadn't decided that creating a no-due-process travel blacklist was a good idea. So I consider DHS/TSA partially responsible for the data breach.

The "simple" (but not easy) fix to that is to make the penalties for having data breached more expensive to the company than the cost of a robust security setup. $100,000 cash to each individual victim of a breach when there is evidence of negligence would be a great start. $10,000 might even do the trick. "Free credit monitoring" (which at best tells you after the identity theft happens and is really just an excuse to market services to the victim) is a farce.