Orbitz, a travel fare aggregator and subsidiary of travel company Expedia, reportedly announced on Tuesday that it recently uncovered evidence that one of its platforms may have been hacked, potentially exposing 880,000 payment cards.

According to Reuters and several other publications, Orbitz discovered the breach on March 1 during an investigation into a legacy Orbitz platform. An attacker may have accessed personal information stored on consumer and business partner platforms, the company reportedly said in a statement.

Orbitz said it took immediate steps to investigate the incident and boost security and monitoring of the affected platform.

We reached out for comment and Orbitz confirmed the breach in a statement provided to TechSpot via e-mail.

Orbitz said an attacker may have accessed personal information that was submitted for certain purchases between January 1, 2016, and December 22, 2017, on the partner platform and between January 1, 2016, and June 22, 2016, on the consumer side. Data including names, e-mail addresses, phone numbers, gender, dates of birth and billing addresses could have been compromised.

To date, however, the company claims it does not have direct evidence that any personal information was actually taken from the platform. Furthermore, Orbitz said there is no evidence that other types of personal information such as travel itineraries or passports were accessed.

The obvious question at this point is why Orbitz / Expedia never bothered to take down a “legacy” platform filled with customer information.

According to reports, the current Orbitz website was not involved in the breach.

The company is said to be offering affected parties one year of free credit monitoring and identity protection service.