Travelocity exposes customer information

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1007-200-4564919.html?tag=unkn

By Troy Wolverton
Staff Writer, CNET News.com
January 22, 2001, 6:30 p.m. PT

A security breach at Travelocity exposed the personal information of
thousands of the online travel company's customers, the company
confirmed Monday.

Names, addresses, phone numbers and e-mail addresses of Travelocity
customers who participated in a promotion on its site were exposed.
Travelocity executives closed the breach, which involved an insecure
directory, on Monday afternoon after it was pointed out.

For more than a month, up to 51,000 names could have been exposed by
the breach, said Jim Marsicano, executive vice president of sales and
service for Travelocity. Blaming the problem on human error, Marsicano
stressed that no customer order information was compromised by the
security hole.

"We take this privacy thing very seriously," Mariscano said. But he
added, "In this case, we didn't do what we were supposed to do."

Although Travelocity is still investigating the incident, Marsicano
said that it stemmed from the transfer of the company's servers from
San Francisco to Tulsa last month. As part of the move, some of the
company's internal data from two promotional contests that ran last
year was inadvertently left on a computer that is now being used as a
Web server, he said.

"We had a weak link in this particular transaction and you see the end
result," he said.

These kinds of breaches occur when a company gets complacent about
security risks, said Richard Power, editorial director of the Computer
Security Institute.

"This is an error (of) not dotting their I's or crossing their T's,"
Power said. "This is a situation where they are probably understaffed,
or they haven't understood that they are at risk of somebody poking
around."

Travelocity is only the latest site to compromise customer
information.

Last month, a hacker broke into Egghead.com, potentially exposing its
3.7 million customer accounts. Weeks later, the company said the
hacker didn't gain access to any of the credit card numbers it had on
file, but by then many of the credit cards had been canceled by banks
or worried customers.

Earlier last year, security breaches or hacker attacks exposed
customer and client information at CreditCards.com, Eve.com, IKEA and
Amazon.com.

An e-commerce executive, who asked to remain anonymous, reported the
security hole to CNET News.com on Monday. The insecure directory
allowed anyone to see the customer data without a password.

Travelocity's Web site assures customers of the site's security,
saying it uses "the latest encryption technology to ensure that every
transaction is safe." The company said it encrypts all personal
information after it is entered and transmits the encrypted
information over the Internet to a secure server, where it is
translated back to its original form and stored in an offline
database.

Simple errors like the Travelocity breach have happened all too
frequently, said Jason Catlett, president of the spam-fighting group
Junkbusters. They stem from companies not devoting enough financial
resources and technical expertise to addressing security issues, he
said.

"Of course these mistakes shouldn't happen," Catlett said. "There's a
rush to be first with a new feature and to get the promotion running
rather than making sure all of the doors are locked before they open
the front gate."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".