Orbitz Hack: How to Protect Yourself After the Breach

The travel site says personal information was stolen from payment cards

Orbitz app GettyImages-453351826

Travel website Orbitz said that personal information from more than 880,000 payment cards appeared to have been hacked from a platform the company operates.

Orbitz, a subsidiary of Expedia, said the hack allowed thieves access to information on purchases made by customers in 2016 and most of 2017.

The data stolen probably included names, addresses, phone numbers, and email addresses, as well as other personal information, the company said, though Social Security information was not taken.

Orbitz, which said it worked with security experts and law enforcement, discovered the breach March 1 and is now notifying customers. It is offering one free year of credit monitoring and identity protection service.

This latest cyberattack is much smaller than other recent breaches, especially last year’s hack of Equifax, which compromised the personal information of 148 million Americans. But privacy experts said consumers should still take the Orbitz attack seriously.

“This is nothing to sneeze at,” says Beth Givens, executive director of the Privacy Rights Clearinghouse, which has tracked data breaches since 2005. “I think consumers should assume that their personal information has been compromised even though they may not have been notified. There have been so many data breaches that you just can’t assume that you haven’t been affected.”

Precautions You Can Take

Many details about the Orbitz data breach are still unclear, but if you are notified by the company, there are steps you can take to limit the damage.

Watch your accounts closely. It’s a good idea to start checking all your accounts carefully. Look for charges you don’t recognize. If you spot something strange, call your credit, debit, or prepaid card company, or bank, right away, says Christina Tetreault, senior staff attorney at Consumers Union, the advocacy division of Consumer Reports.

Consider getting new payment cards. If there was a breach with your debit, prepaid, or credit card, you may want to get a new card with a new account number, Tetrault says. This will keep your account from being used without your permission. If you get a new card, make sure to change any automatic payments to your new card so that you aren’t charged for missed or late payments.

Keep in mind that if you used a credit card for any Orbitz transactions, you have less to worry about than if you used a debit card because the rules that protect you are stronger for victims of credit card fraud.

Call Orbitz to sign up for free credit monitoring
Orbitz is offering this free service for one year. The service provides an ongoing review of your credit history. Doing this won’t let you know if someone is using your existing accounts without your permission, but it will let you know if someone opened a new account in your name. Orbitz says that affected customers residing in the U.S. may sign up for this service by submitting their information online or calling 855-828-3959 toll-free.

If you believe you’ve had other information stolen in the past, such as your Social Security number, you can also:

Place a fraud alert on your credit report.
This warns prospective lenders that you have been a victim and that they should take reasonable extra steps to verify your identity before granting credit to the person claiming to be you.

To request a fraud alert, you have to contact only one of the big three credit bureaus—Equifax, Experian, or TransUnion. The bureau you contact will pass it on to the other two. (You must place a separate alert with Innovis, a smaller credit bureau.)

An initial fraud alert lasts 90 days. If you’re an ID-theft victim, you can get an extended fraud alert that stays in place for seven years. But you may be better off with the 90-day alert because that allows you to get a free credit report from each of the four credit bureaus each time you renew the alert.

Place a security freeze. A security freeze placed on your credit file will block most lenders from seeing your credit history. That makes a freeze the single most effective way to protect against fraud.

If a prospective lender can’t pull your credit report, he won’t issue a new loan. That usually stops identity thieves from setting up fraudulent accounts in your name.

There’s a drawback, though. The freeze also shuts out most companies you may want to do business with, including lenders, telecom companies, and insurers.

To give them access when you want to apply for a loan or open a cellular service account, you have to temporarily lift the freeze and set a date for it to be reinstated automatically.

Note that not everyone is blocked from getting your credit report. Banks and credit unions where you already have accounts can still check your credit report, as can collection agencies and certain government agencies.

A freeze might be free, depending on your state and circumstances—for example, if you’re an identity-theft victim and have filed a police report about the incident. Otherwise, expect to pay $2 to $12 to initiate or temporarily lift a freeze at each credit bureau: Equifax, Experian, TransUnion, and Innovis. Review your state’s law for specific details.

You’ve Been Hacked

Have you experienced suspicious activity on your online accounts? On the "Consumer 101" TV show, Consumer Reports expert Thomas Germain explains how to take back control of your digital privacy.

Nikhil Hutheesing

I edit and write stories about personal finance. But it's not quite what you think. Besides giving advice, our stories also uncover unseemly financial practices often lurking in the least expected places. Find me on Twitter (@Nikhil212).