RealTime IT News

Travelocity Patches Security Hole

Online travel company Travelocity may employ the latest in encryption technology to defend its customers against prying eyes, but that doesn't do much to protect them against human error, as the company learned Monday.

An insecure directory, inadvertently left on one of the company's Web servers, may have exposed up to 45,000 names, addresses, phone numbers and e-mail addresses -- but no credit card numbers -- of Travelocity sweepstakes entrants. Travelocity executives said they patched the breach Monday afternoon.

The data -- from two promotional contests the company ran last year -- was probably exposed when the company moved servers from San Francisco to Tulsa, Okla., last month, according to Travelocity. The data was on a computer that has since been drafted for Web server duty, making it available without a password to anyone poking around on the server.

The firm said no customer order information had been compromised.

"Customer trust and privacy -- which we take very, very seriously -- appears to have been put in a situation where, if this information had been made public to people that were less than scrupulous let's say, they could end up getting the names sold to an e-mail list," Jim Marsicano, executive vice president of sales and service for Travelocity, told InternetNews Radio Tuesday. "Clearly we do not think this is going to happen because we're fairly certain that we know what took place. But I think that's the most that could come of it."

The twist, however, lies in how Travelocity learned of the breach. An unidentified e-commerce executive, probably from one of Travelocity's competitors, reported the security hole to CNET's News.com Monday. The service then called Travelocity to confirm.

But Marsicano said he would not characterize the executive's actions as hacking.

"We clearly do not believe that the corporation involved hacked our system," Marsicano said. "All Internet businesses, or practically all Internet businesses, routinely see what their competitors are up to, see what's going on. In this particular instance, the individual that was doing the checking had more than just a passing knowledge of -- when they clicked on something -- what they were seeing. Were a similar situation to arise in the future, our only hope is that we would be professional enough to handle it a bit differently. Contacting the media is certainly their prerogative. It's one of the beauties of living in America. But I think just professionalism and courtesy would have dictated that maybe even the second phone call would have come to us if they didn't think it should be the first."

Online security has become a forefront issue in past weeks. Online retailer Egghead.com was hacked in late December, with initial reports indicating that as many as 3.7 credit card numbers may have been stolen. Egghead Chief Executive Officer Jeff Sheahan moved to allay those fears two weeks later, saying that the Federal Bureau of Investigation and forensic security firm Kroll Associates found the company's security systems interrupted the hacker's intrusion. creditcards.com also suffered a high-profile security breach when a hacker posted some 25,000 credit card numbers on the Internet following a failed blackmail attempt.

InternetNews Radio host Brian McWilliams contributed to this story.