Popular travel-booking site Orbitz has likely been hacked Attack.Databreach , potentially exposing Attack.Databreach payment card information for people that bought plane tickets or booked hotel rooms over the course of two years . The company said that it has uncovered evidence that about 880,000 payment cards were possibly impacted , along with other personal information , like names , payment card information , dates of birth , phone numbers , email addresses , physical and/or billing addresses and gender . The company said evidence suggests an attacker may have accessed Attack.Databreach information stored on a legacy e-commerce platform during two periods : 1 January through 22 June 2016 and 1 October to 22 December 2017 . `` We determined on March 1 , 2018 , that there was evidence suggesting that an attacker may have accessed Attack.Databreach personal information stored on this consumer and business partner platform , ” the Expedia-owned site said in a media statement . “ We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform . To date , we do not have direct evidence that this personal information was actually taken Attack.Databreach from the platform . We deeply regret the incident , and we are committed to doing everything we can to maintain the trust of our customers and partners . '' Mike Schuricht , vice president of product management at Bitglass , said that the issue may have arisen as an artifact of the acquisition integration . Expedia bought the company in September 2015 . “ Any organization that is acquired by or is acquiring another business and its IT assets typically has a major blind spot with respect to its legacy or nonproduction systems , ” Schuricht said via email . “ As is the case with most audits and postmortems in the event of a breach , Expedia is likely looking back at the infrastructure affiliated with its prior acquisitions , like Travelocity , to ensure all of its owned databases are not similarly impacted . It ’ s always a concern when an organization only becomes aware of a breach months or years after it takes place – highlighting the inadequacy of reactive security solutions and auditing processes. ” Orbitz is offering customers a year of free credit monitoring ; yet Nathan Wenzler , chief security strategist at San Francisco-based security consulting company AsTech , said that more is needed . “ Another day , another breach . And while the attackers show no signs of slowing down , companies really need to do more than just provide users a free year of credit monitoring services and consider their work done , ” he said via email . “ Legacy systems are common attack points , as they are often neglected , go without updates or patches and are commonly not monitored , which gives criminals an ideal avenue to gain access and steal Attack.Databreach whatever data may be resident there . In this case , it was nearly 900,000 credit card accounts . Credit monitoring may be a nice PR gesture , but it does not absolve companies from doing their due diligence around securing legacy systems and protecting their customers data , no matter where it lives . ”