According to Reuters, an investigation showed that the breach may have occurred between January 1, 2016 and December 22, 2017 for its partner platform, and between January 1, 2016 and June 22, 2016 for its consumer platform. The website Orbitz.com was not impacted.
The exposed information may have included names, phone numbers, email addresses and billing addresses.
“To date, we do not have direct evidence that this personal information was actually taken from the platform and there has been no evidence of access to other types of personal information, including passport and travel itinerary information,” Orbitz said.
The company also revealed that the Social Security numbers of U.S. customers were not involved in this breach, which was just discovered in March of this year.
Credit card issuer American Express also said in a statement that the attack did not compromise its platforms.
This is the latest breach to involve the travel sector. Last month, InterContinental Hotels Group said that 12 hotels in the United States were compromised in a data breach. Malware hidden in servers uncovered and captured what is known as “track” data – which includes names, card numbers and codes – over a time frame ranging from August to December 2016.
And last October, Hyatt Hotels was hit with a credit card breach that exposed payment card information from those that were manually entered or swiped during check-in at the front desk. That breach followed a similar one in 2015, when the hotel operator revealed that hackers had been gaining access to the company’s credit card system for roughly four months, impacting properties in 50 different countries.
After news of the breach was released, Expedia’s shares fell as much as 1.9 percent to $108.99.