Orbitz Data Breach Signals Complacency: What You Didn’t Know About Cyber Breaches

Steven Minsky | April 4, 2018

Orbitz said hackers may have accessed 880,000 credit card numbers and possibly the names, dates of birth, phone numbers, and addresses of consumers who booked through the site in 2016 and 2017.

The Orbitz data breach pales in comparison to the Equifax hack of 2017 and has been buried among headlines concerning Facebook. For many, this story barely counts as “news” because it’s just honestly not that “new.”

For me, the humdrum attitude of complacency is what makes the Orbitz data breach blogworthy. Nearly 1 million people were put at risk of identity theft, while a Google search yields only short-form articles with little analysis or opinion on the matter.

Complacency sets in when the general public believes a problem is unavoidable, irreversible, and inevitable. But as with every scandal I’ve analyzed, I believe the Orbitz data breach was entirely preventable. With the right outlook, and tools, all failures in risk management—from Wells Fargo to Facebook—can be anticipated and stopped.

Understanding Risk Management Failures Turns Complacency into Action

Most people still look at cyber breaches as failures in technology. However, while an unpatched system or a bug in the software can facilitate hacking, there are many oversights that occur in relation to these kinds of technological failures that are the true root-cause of a cyber breach.

For the Equifax data breach, personnel were made aware of a problem with a software they used months before hackers accessed the information, but the incident was never escalated to the right individual who could ensure a patch was deployed. If Equifax had a proper incident and risk management system in place, the notification from Homeland Security would have been properly escalated and monitored until the risk was mitigated.

In Orbitz’s case, hackers were able to access a large variety of data because Orbitz stores many of its credentials in the same database, according to George Avetisov, chief executive officer of security company HYPR. An integral component of any effective risk management program is actionable risk assessments. Had Orbitz assessed their process of keeping mass amounts of data in one centralized location, they would have identified the risks that ended up materializing.

After identifying this risk, Orbitz could have implemented a control that would have mitigated the size and impact of the data breach. “These databases create a single point of failure, and an easy target for hackers. Large enterprises are moving towards decentralized authentication in order to prevent large scale breaches, eliminate fraud, and ensure user privacy,” said Avetisov.

The point is, cyber breaches, alongside every other type of corporate misstep, aren’t just one-off, inevitable incidents. Companies can do a lot to prevent them by developing effective risk management programs.

Steps to Preventing Large-Scale Scandals with Risk Management

Today, reputation and brand count for a lot. Consumers decide whom they want to do business with based on how well they can trust them. In turn, investors will only support companies with a large, loyal customer base.

A new trend is also arising called ESG investing, where investors looks at the environmental, social, and governance impact of a company, in addition to their financials.

Regulations are also a huge concern for companies who deal with consumer data, which is just about all of them. For instance, the GDPR goes into effect May 25, 2018. This new data privacy regulation will apply to every organization that handles the data of EU residents. If this data is compromised, the penalty can be as high as €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher. As a travel site, Orbitz would undoubtedly be subject to such regulation.

Because of the reputational and regulatory risks that accompany scandals, every scandal has the potential to have a large-scale impact. These risks are the results of the see-through economy, an age where consumers and investors are empowered by new technologies to define their expectations, lobby for stricter regulations, and impact a company’s reputation.

However, the see-through economy doesn’t have to be a concept that companies operate in fear of. In fact, companies will do well to embrace the see-through economy and use it to their own benefit. New technologies also make it possible to turn every employee into a process improvement specialist. With the right tools, they can be the eyes and ears of every level of your organization. They know the risks the company faces, they just need the opportunity to escalate them.

Here are some steps to embracing the see-through economy, and preventing large-scale scandals:

  1. Administer standardized risk assessments to front-line employees across the enterprise to identify and assess key risks
  2. Enable online incident reporting in a way that connects incidents to their root-cause to better identify trends and design streamlined controls
  3. Conduct thorough due diligence on third-party relationships to mitigate risks on their end that could impact your company’s operations and reputation
2018 GRC Market Report Emphasizes New Risk Trends

Risk Assessment Template

Discover how to enhance your risk assessment techniques by downloading our free risk assessment template for Excel!