Online travel company Travelocity may employ the latest in encryption
technology to defend its customers against prying eyes, but that doesn’t do
much to protect them against human error, as the company learned Monday.
An insecure directory, inadvertently left on one of the company’s Web
servers, may have exposed up to 45,000 names, addresses, phone numbers and
e-mail addresses — but no credit card numbers — of Travelocity sweepstakes
entrants. Travelocity executives said they patched the breach Monday
afternoon.
The data — from two promotional contests the company ran last year — was
probably exposed when the company moved servers from San Francisco to Tulsa,
Okla., last month, according to Travelocity. The data was on a computer that
has since been drafted for Web server duty, making it available without a
password to anyone poking around on the server.
The firm said no customer order information had been compromised.
“Customer trust and privacy — which we take very, very seriously — appears
to have been put in a situation where, if this information had been made
public to people that were less than scrupulous let’s say, they could end up
getting the names sold to an e-mail list,” Jim Marsicano, executive vice
president of sales and service for Travelocity, told InternetNews Radio
Tuesday. “Clearly we do not think this is going to happen because we’re
fairly certain that we know what took place. But I think that’s the most
that could come of it.”
The twist, however, lies in how Travelocity learned of the breach. An
unidentified e-commerce executive, probably from one of Travelocity’s
competitors, reported the security hole to CNET’s News.com Monday. The
service then called Travelocity to confirm.
But Marsicano said he would not characterize the executive’s actions as
hacking.
“We clearly do not believe that the corporation involved hacked our system,”
Marsicano said. “All Internet businesses, or practically all Internet
businesses, routinely see what their competitors are up to, see what’s going
on. In this particular instance, the individual that was doing the checking
had more than just a passing knowledge of — when they clicked on
something — what they were seeing. Were a similar situation to arise in the
future, our only hope is that we would be professional enough to handle it a
bit differently. Contacting the media is certainly their prerogative. It’s
one of the beauties of living in America. But I think just professionalism
and courtesy would have dictated that maybe even the second phone call would
have come to us if they didn’t think it should be the first.”
Online security has become a forefront issue in past weeks. Online retailer
Egghead.com was hacked in late December, with initial reports indicating that as many as 3.7
credit card numbers may have been stolen. Egghead Chief Executive Officer
Jeff Sheahan moved to allay those fears two weeks later, saying that the Federal Bureau of
Investigation and forensic security firm Kroll Associates found the
company’s security systems interrupted the hacker’s intrusion.
creditcards.com also suffered a high-profile security breach when a hacker
posted some 25,000 credit card numbers on the Internet following a failed
blackmail attempt.
InternetNews Radio host Brian McWilliams contributed to this story.