Expedia Inc. subsidiary Orbitz.com has been hacked with customer details, including credit card numbers, possibly stolen from the site last year.

Expedia revealed the hack Tuesday. It said in a statement that they had found evidence that an attacker had invaded Orbitz’s “legacy systems” between October and December last year, accessing 880,000 customer records from January 2016 and December 2017, including names, dates of birth, postal and email addresses, gender and payment card information.

The company also said it had no evidence that the data was actually stolen, only that someone accessed Orbitz’s servers. However, that could be a deflection, since it’s not clear why someone would go to the bother of hacking a server if not to steal data.

Security industry experts were scathing. Mike Kail, chief technology officer at CYBRIC Inc., told SiliconANGLE that it’s “yet another large-scale breach that sounds like an apparent lack of proper security visibility and hygiene. It is also disappointing to have the disclosure take so long to be published after the incidents. This lackadaisical approach to protecting sensitive data needs to stop.”

Carl Wright, chief revenue officer at AttackIQ Inc., said these hacks are getting out of control, with barely a week passing without a significant breach being disclosed. “At some point, corporate executives and the Board of Directors will start asking how much of the information technology budget is being allocated to security control validation and testing,” he said. “If it is less than 10 percent of the security budget, they may have some real challenges proving the security program is effective. It is far cheaper to continuously validate your security using attack simulation than recover from a breach.”

Unfortunately, this lack of visibility into systems is common, said Bitglass Inc. Vice President Mike Schuricht. “Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or non-production systems,” Schuricht said. “As is the case with most audits and postmortems in the event of a breach, Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions, like Travelocity, to ensure all of its owned databases are not similarly impacted. It’s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes.”

Consumers end up getting the worst of it, added Ken Spinner, vice president of global field engineering at Varonis Systems Inc. In effect, he said, they’re usually left “holding a crummy consolation prize – typically a year’s worth of free credit monitoring and an emailed apology.”

That’s “entirely inadequate,” he said. “If someone broke into your house and walked off with your TV one day and your sofa the next, you would probably catch on quickly and install an alarm or get a dog to scare away intruders. Yet no one at Orbitz spotted critical data leaving their network for close to two years.”

Image: 96223380@N02/Flickr