Expedia users targeted by phisher who gained access to their info
An unknown number of Expedia customers have been getting emails from the company, warning them about fraudulent emails or SMSes they might receive or might have already received, asking them to share personal or credit card data.
The email says that the messages are sent by an individual posing as a representative of the company, who managed to somehow access the targets’ name, phone number, email address and travel booking information.
Credit card numbers were not compromised, the email said.
Sarah Gavin, head of communications at the popular online travel booking company, told Bob Sullivan that Expedia was not breached, and that the information was stolen from a partner hotel (which she declined to name).
The attacker apparently managed to phish someone at the hotel, and obtained the hotel’s login credentials. This gave him (or her?) access to the information about consumers who used Expedia to book their stay at the hotel.
“As an enhanced security measure, we have implemented a multi-factor authentication process in partnership with our hotel partners and have distributed various education mechanisms to our partners for further understanding of the sensitivity and importance of these type of fraudulent activities,” Expedia spokesperson Ingrid Belobradic noted, but didn’t say whether this was before or after this particular attack.
All customers are advised to be careful about phishing attempts, either via email, SMS or phone. Even though having some information about the target helps attackers pull off the scam, skilled phishers don’t need it.
UPDATE: Some customers of online travel agencies Travelocity and Hotels.com (both owned by Expedia) have also received the warning emails.