January 22, 2001 6:30 PM PST
Travelocity exposes customer information
- Related Stories
Egghead says hacker didn't get access to cardsJanuary 8, 2001
Egghead tight-lipped about hack investigationDecember 26, 2000
Company says extortion try exposes thousands of card numbersDecember 12, 2000
Eve.com scrambles to assess security breachSeptember 13, 2000
Gaffe at Amazon leaves email addresses exposedSeptember 6, 2000
IKEA exposes customer information on catalog siteSeptember 6, 2000
Names, addresses, phone numbers and e-mail addresses of Travelocity customers who participated in a promotion on its site were exposed. Travelocity executives closed the breach, which involved an insecure directory, on Monday afternoon after it was pointed out.
For more than a month, up to 51,000 names could have been exposed by the breach, said Jim Marsicano, executive vice president of sales and service for Travelocity. Blaming the problem on human error, Marsicano stressed that no customer order information was compromised by the security hole.
"We take this privacy thing very seriously," Mariscano said. But he added, "In this case, we didn't do what we were supposed to do."
Although Travelocity is still investigating the incident, Marsicano said that it stemmed from the transfer of the company's servers from San Francisco to Tulsa last month. As part of the move, some of the company's internal data from two promotional contests that ran last year was inadvertently left on a computer that is now being used as a Web server, he said.
"We had a weak link in this particular transaction and you see the end result," he said.
These kinds of breaches occur when a company gets complacent about security risks, said Richard Power, editorial director of the Computer Security Institute.
"This is an error (of) not dotting their I's or crossing their T's," Power said. "This is a situation where they are probably understaffed, or they haven't understood that they are at risk of somebody poking around."
Travelocity is only the latest site to compromise customer information.
Last month, a hacker broke into Egghead.com, potentially exposing its 3.7 million customer accounts. Weeks later, the company said the hacker didn't gain access to any of the credit card numbers it had on file, but by then many of the credit cards had been canceled by banks or worried customers.
An e-commerce executive, who asked to remain anonymous, reported the security hole to CNET News.com on Monday. The insecure directory allowed anyone to see the customer data without a password.
Travelocity's Web site assures customers of the site's security, saying it uses "the latest encryption technology to ensure that every transaction is safe." The company said it encrypts all personal information after it is entered and transmits the encrypted information over the Internet to a secure server, where it is translated back to its original form and stored in an offline database.
Simple errors like the Travelocity breach have happened all too frequently, said Jason Catlett, president of the spam-fighting group Junkbusters. They stem from companies not devoting enough financial resources and technical expertise to addressing security issues, he said.
"Of course these mistakes shouldn't happen," Catlett said. "There's a rush to be first with a new feature and to get the promotion running rather than making sure all of the doors are locked before they open the front gate."
15 commentsJoin the conversation! Add your comment