Go Back  FlyerTalk Forums > Travel&Dining > Travel Safety/Security > Checkpoints and Borders Policy Debate
Reload this Page >

Orbitz Hacked: Customer DOBs leaked thanks to DHS/TSA Secure Flight

Orbitz Hacked: Customer DOBs leaked thanks to DHS/TSA Secure Flight

Old Mar 21, 18, 7:08 am
  #1  
Original Poster
 
Join Date: Apr 2003
Location: BOS and vicinity
Programs: Former UA 1P
Posts: 3,717
Orbitz Hacked: Customer DOBs leaked thanks to DHS/TSA Secure Flight

https://www.usnews.com/news/business...-likely-hacked
https://www.theverge.com/2018/3/20/1...h-credit-cards

Orbitz said Tuesday about 880,000 payment cards were impacted.

Data that was likely exposed includes name, address, payment card information, date of birth, phone number, email address and gender.
The compromised data would be much less useful to identity thieves if it did not include date of birth, which Orbitz is required to collect thanks to DHS/TSA "Secure Flight" requirements. DOB gives the thieves a much better chance of opening accounts in the victims' names. Thanks TSA.

I have little hope of this, but DHS/TSA should be a party to any lawsuits or other accountability actions taken against Orbitz for this breach.
studentff is offline  
Old Mar 21, 18, 7:34 am
  #2  
 
Join Date: Aug 2012
Posts: 3,509
Originally Posted by studentff View Post
https://www.usnews.com/news/business...-likely-hacked
https://www.theverge.com/2018/3/20/1...h-credit-cards



The compromised data would be much less useful to identity thieves if it did not include date of birth, which Orbitz is required to collect thanks to DHS/TSA "Secure Flight" requirements. DOB gives the thieves a much better chance of opening accounts in the victims' names. Thanks TSA.

I have little hope of this, but DHS/TSA should be a party to any lawsuits or other accountability actions taken against Orbitz for this breach.
I believe it is safe to say that FlyerTalk pundits predicted this would happen when airlines were first forced to gather so much personal information on travelers.
petaluma1 is offline  
Old Mar 21, 18, 8:37 am
  #3  
A FlyerTalk Posting Legend
 
Join Date: Jul 2001
Location: Watchlisted by the prejudiced, en route to purgatory
Programs: Just Say No to Fleecing and Blacklisting
Posts: 90,983
Originally Posted by petaluma1 View Post
I believe it is safe to say that FlyerTalk pundits predicted this would happen when airlines were first forced to gather so much personal information on travelers.
Yes, But the airlines were more than willing to play nicely with the government. But passengers can still travel with the wrong birthday info in the bookings and the airlines’ customer tracking systems.
GUWonder is offline  
Old Mar 23, 18, 8:41 am
  #4  
Original Member
 
Join Date: May 1998
Location: New York, NY, USA
Programs: AA 2MM, Bonvoy LTT
Posts: 11,976
Originally Posted by studentff View Post
https://www.usnews.com/news/business...-likely-hacked
https://www.theverge.com/2018/3/20/1...h-credit-cards



The compromised data would be much less useful to identity thieves if it did not include date of birth, which Orbitz is required to collect thanks to DHS/TSA "Secure Flight" requirements. DOB gives the thieves a much better chance of opening accounts in the victims' names. Thanks TSA.

I have little hope of this, but DHS/TSA should be a party to any lawsuits or other accountability actions taken against Orbitz for this breach.
oh please. Orbitz is responsible. Nothing to do with SecureFlight requirement. If you are blaming DHS, then take it further then blame financial institution for using DOB on applications. You then can also blame financial institution for credit reporting bureau breaches. If the banks didn’t use DOB, DOB couldn’t be used for identity theft.
seawolf is offline  
Old Mar 23, 18, 11:50 am
  #5  
Original Poster
 
Join Date: Apr 2003
Location: BOS and vicinity
Programs: Former UA 1P
Posts: 3,717
Originally Posted by seawolf View Post
oh please. Orbitz is responsible. Nothing to do with SecureFlight requirement. If you are blaming DHS, then take it further then blame financial institution for using DOB on applications. You then can also blame financial institution for credit reporting bureau breaches. If the banks didn’t use DOB, DOB couldn’t be used for identity theft.
Storing superfluous unnecessary personally-identifying-information (PII) aggravates the severity of data breaches. Most reasonable organizations have policies to minimize PII collection/storage to the minimum necessary to complete a business purpose. Exact DOB would be irrelevant to booking/completing air travel if it weren't for DHS/TSA policy.

Sure, Orbitz is responsible for the data breach. But DHS/TSA architects of "Secure Flight" are responsible for sensitive information like DOB being stored at Orbitz.

(And in a perfect world, financial institutions wouldn't store DOB either. They would do whatever authentication they need/want to do when the customer signs up and then destroy the sensitive information and just keep an electronic indicator that the customer was authenticated. Companies will start learning these sorts of techniques over the next few years if they are held vigorously and expensively accountable for the impact of data breaches.)
studentff is offline  
Old Mar 23, 18, 12:18 pm
  #6  
Original Member
 
Join Date: May 1998
Location: New York, NY, USA
Programs: AA 2MM, Bonvoy LTT
Posts: 11,976
Originally Posted by studentff View Post
Storing superfluous unnecessary personally-identifying-information (PII) aggravates the severity of data breaches. Most reasonable organizations have policies to minimize PII collection/storage to the minimum necessary to complete a business purpose. Exact DOB would be irrelevant to booking/completing air travel if it weren't for DHS/TSA policy.

Sure, Orbitz is responsible for the data breach. But DHS/TSA architects of "Secure Flight" are responsible for sensitive information like DOB being stored at Orbitz.

(And in a perfect world, financial institutions wouldn't store DOB either. They would do whatever authentication they need/want to do when the customer signs up and then destroy the sensitive information and just keep an electronic indicator that the customer was authenticated. Companies will start learning these sorts of techniques over the next few years if they are held vigorously and expensively accountable for the impact of data breaches.)
Which business organization minimizes PII collection/storage while ignoring regulatory requirements applicable to their business?

I'm sure many HR departments would love to have employees working (business purpose) without having to handle the labor and taxation requirements and the PII involved. So I suppose if a HR file was breached, you would blame IRS/DOL for requiring employer to store/report SSN information to support income withholding?.

Meeting regulatory requirements is a part of doing business. If businesses can't meet regulatory requirements while keeping information safe, then they should get out of the industry they are in.
seawolf is offline  
Old Mar 25, 18, 10:47 am
  #7  
 
Join Date: May 2003
Location: San Francisco, CA Frmr AA Plat AW Plat Frmr UA 1K Frmr HGP Plat now just UA 1MM/1P
Posts: 275
A note of reality to this discussion:

1) The notion that the Orbitz breach makes a significant dent in the total pool of identity information leaked online, is ridiculous. There have been so many breaches and leaks, that there are dark and regular web databases which contain 300 million plus identities including SSN, address, phone number, DOB and more (relatives/genealogy).
2) Regulatory requirements don't go anywhere close enough to requiring actual security. They introduce a bare minimum, is all.
3) And to be fair, a truly robust cyber security setup is both extra ordinarily expensive in absolute terms and requires significant management effort. I say in absolute terms because the cost is simply too unaffordable for SMBs but a pittance for large enterprises. The management effort is because large enterprises have the extra challenge of legacy systems and organizational disfunction.
4) Businesses at all levels are simply unaware of their cyber risk. Equifax, as far as I understand it, wasn't their core credit rating data but rather a customer service database which had been accumulating information for likely decades. How many CEOs think about the size of their customer service database? Equally, CISOs and security organizations are focused on the easily identifiable core assets - it is much more difficult to understand and mitigate the secondary and tertiary data repositories.
c1ue is offline  
Old Mar 26, 18, 7:52 am
  #8  
Original Poster
 
Join Date: Apr 2003
Location: BOS and vicinity
Programs: Former UA 1P
Posts: 3,717
Originally Posted by seawolf View Post
Which business organization minimizes PII collection/storage while ignoring regulatory requirements applicable to their business?
Orbitz may (or may not) have been minimizing PII collection but because they could not ignore regulatory requirements they were forced to collect DOB because of DHS/TSA.

So I suppose if a HR file was breached, you would blame IRS/DOL for requiring employer to store/report SSN information to support income withholding?.
I personally feel that employer storing/reporting SSN serves a completely legitimate purpose of enforcing properly legislated (even if controversial to some) income and payroll tax collection. So no, I would blame the company/HR.

I personally feel that DOB is irrelevant to traveling by commercial air because the entire underlying blacklisting mechanism is both unconstitutional, poorly-conceived, and security theater to mask TSA's ineptness at detecting weapons/explosives/incendiaries (TSA: "identity matters"). DOB collection is a band-aid to reduce bad-press of NFL matches that never would have happened if the government had not gone crazy adding tens of thousands of irrelevant names to the NFL. Or if DHS/TSA predecessors hadn't decided that creating a no-due-process travel blacklist was a good idea. So I consider DHS/TSA partially responsible for the data breach.

Originally Posted by c1ue View Post
3) And to be fair, a truly robust cyber security setup is both extra ordinarily expensive in absolute terms and requires significant management effort. I say in absolute terms because the cost is simply too unaffordable for SMBs but a pittance for large enterprises. The management effort is because large enterprises have the extra challenge of legacy systems and organizational disfunction.
The "simple" (but not easy) fix to that is to make the penalties for having data breached more expensive to the company than the cost of a robust security setup. $100,000 cash to each individual victim of a breach when there is evidence of negligence would be a great start. $10,000 might even do the trick. "Free credit monitoring" (which at best tells you after the identity theft happens and is really just an excuse to market services to the victim) is a farce.
Spiff likes this.
studentff is offline  

Thread Tools
Search this Thread
Search Engine: