Popular travel-booking site Orbitz has likely been hacked Attack.Databreach , potentially exposing Attack.Databreach payment card information for people that bought plane tickets or booked hotel rooms over the course of two years . The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted , along with other personal information , like names , payment card information , dates of birth , phone numbers , email addresses , physical and/or billing addresses and gender . The company said evidence suggests an attacker may have accessed Attack.Databreach information stored on a legacy e-commerce platform during two periods : 1 January through 22 June 2016 and 1 October to 22 December 2017 . `` We determined on March 1 , 2018 , that there was evidence suggesting that an attacker may have accessed Attack.Databreach personal information stored on this consumer and business partner platform , ” the Expedia-owned site said in a media statement . “ We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform . To date , we do not have direct evidence that this personal information was actually taken Attack.Databreach from the platform . We deeply regret the incident , and we are committed to doing everything we can to maintain the trust of our customers and partners . '' Mike Schuricht , vice president of product management at Bitglass , said that the issue may have arisen as an artifact of the acquisition integration . Expedia bought the company in September 2015 . “ Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or nonproduction systems , ” Schuricht said via email . “ As is the case with most audits and postmortems in the event of a breach , Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions , like Travelocity , to ensure all of its owned databases are not similarly impacted . It ’ s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes. ” Orbitz is offering customers a year of free credit monitoring ; yet Nathan Wenzler , chief security strategist at San Francisco-based security consulting company AsTech , said that more is needed . “ Another day , another breach . And while the attackers show no signs of slowing down , companies really need to do more than just provide users a free year of credit monitoring services and consider their work done , ” he said via email . “ Legacy systems are common attack points , as they are often neglected , go without updates or patches and are commonly not monitored , which gives criminals an ideal avenue to gain access and steal Attack.Databreach whatever data may be resident there . In this case , it was nearly 900,000 credit card accounts . Credit monitoring may be a nice PR gesture , but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data , no matter where it lives . ”

Yahoo CEO Marissa Mayer said she 'll forego her 2016 bonus and any stock award for this year after the company admitted it failed to properly investigate hack attacks Attack.Databreach that compromised Attack.Databreach more than a billion user accounts . Further ReadingYahoo admits it ’ s been hacked Attack.Databreach again , and 1 billion accounts were exposed Attack.Databreach `` When I learned in September 2016 that a large number of our user database files had been stolen Attack.Databreach , I worked with the team to disclose the incident Attack.Databreach to users , regulators , and government agencies , '' she wrote in a note published Monday on Tumblr . `` However , I am the CEO of the company and since this incident happened during my tenure , I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company ’ s hardworking employees , who contributed so much to Yahoo ’ s success in 2016 . '' Her note came as Yahoo for the first time said that outside investigators identified about 32 million accounts for which forged browser cookies were used or taken in 2015 and 2016 . The investigators said some of the forgeries were connected to the same nation-sponsored attackers who compromised Yahoo in 2014 . The cookies tied to the forgeries have since been invalidated . Yahoo also said that the 2014 attacks targeted 26 specific accounts by exploiting the company ’ s account management tool . The company went on to say unnamed senior executives failed to grasp the extent of the breach early enough . A filing submitted Monday with the US Securities and Exchange Commission stated : Based on its investigation , the Independent Committee concluded that the Company ’ s information security team had contemporaneous knowledge of the 2014 compromise of user accounts , as well as incidents by the same attacker involving cookie forging in 2015 and 2016 . In late 2014 , senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company ’ s account management tool . The Company took certain remedial actions , notifying 26 specifically targeted users and consulting with law enforcement . While significant additional security measures were implemented in response to those incidents , it appears certain senior executives did not properly comprehend or investigate , and therefore failed to act sufficiently upon , the full extent of knowledge known internally by the Company ’ s information security team . Specifically , as of December 2014 , the information security team understood that the attacker had exfiltrated Attack.Databreach copies of user database backup files containing the personal data of Yahoo users but it is unclear whether and to what extent such evidence of exfiltration was effectively communicated and understood outside the information security team . However , the Independent Committee did not conclude that there was an intentional suppression of relevant information . Nonetheless , the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014 , and they did not sufficiently pursue it . As a result , the 2014 Security Incident was not properly investigated and analyzed at the time , and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident . The Independent Committee found that failures in communication , management , inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident .