Travelocity Admits Security Lapse

ByABC News
January 24, 2001, 9:15 AM

D A L L A S, Jan. 24 -- Online travel agency Inc. sayspersonal information from some 45,000 of its customers wasinadvertently left accessible on its Web site for months.

The breach exposed the names, addresses, phone numbers ande-mail addresses of those who entered promotions between May andNovember, officials of the Fort Worth-based company said today.

Jim Marsicano, Travelocitys executive vice president of salesand service, said the information was stored on a back-officeserver that was put into use on the companys Web site. Thecustomer information should have been deleted first but wasnt, hesaid.

It was not a case of hacking. It was a case of something beingleft where it shouldnt have been left, Marsicano said.

Affected Contest Forms

The breach affected customers who entered contests onTravelocitys Web site by submitting online forms that asked forsome personal information. Marsicano said customers credit cardinformation was never exposed, however.

By clicking on an advertisement on Travelocitys site, usersconnected to a page of text written in the Web-page language ofhtml. From there, it was possible for someone familiar with html toreach a Microsoft Excel spreadsheet without a password thatcontained the information about contest entrants, company officialssaid.

Travelocity was alerted to the breach late Monday by CNetNetworks Inc., a San Francisco-based technology-news service. CNetsaid it was told about the breach by an executive of anInternet-commerce company.

Marsicano said Travelocity customers whose information was onthe compromised spreadsheet are being notified by e-mail.

Travelocity officials went to great lengths to draw adistinction between their breach and a series of recent hackingincidents at Internet retailers, some of which exposed customerscredit card information.

Other Security Breaches

Last month, a hacker broke into, causing thetechnology retailer to notify about 3.5 million customers thattheir credit card information might have been compromised.