Travelocity Admits Security Lapse

D A L L A S, Jan. 24, 2001 -- Online travel agency Travelocity.com Inc. sayspersonal information from some 45,000 of its customers wasinadvertently left accessible on its Web site for months.

The breach exposed the names, addresses, phone numbers ande-mail addresses of those who entered promotions between May andNovember, officials of the Fort Worth-based company said today.

Jim Marsicano, Travelocity’s executive vice president of salesand service, said the information was stored on a back-officeserver that was put into use on the company’s Web site. Thecustomer information should have been deleted first but wasn’t, hesaid.

“It was not a case of hacking. It was a case of something beingleft where it shouldn’t have been left,” Marsicano said.

Affected Contest Forms

The breach affected customers who entered contests onTravelocity’s Web site by submitting online forms that asked forsome personal information. Marsicano said customer’s credit cardinformation was never exposed, however.

By clicking on an advertisement on Travelocity’s site, usersconnected to a page of text written in the Web-page language ofhtml. From there, it was possible for someone familiar with html toreach a Microsoft Excel spreadsheet — without a password — thatcontained the information about contest entrants, company officialssaid.

Travelocity was alerted to the breach late Monday by CNetNetworks Inc., a San Francisco-based technology-news service. CNetsaid it was told about the breach by an executive of anInternet-commerce company.

Marsicano said Travelocity customers whose information was onthe compromised spreadsheet are being notified by e-mail.

Travelocity officials went to great lengths to draw adistinction between their breach and a series of recent hackingincidents at Internet retailers, some of which exposed customers’credit card information.

Other Security Breaches

Last month, a hacker broke into Egghead.com, causing thetechnology retailer to notify about 3.5 million customers thattheir credit card information might have been compromised.

Egghead.com said later that credit card information was notstolen, but analysts said the incident — along with earlierbreaches at creditcards.com, Western Union and RealNames — couldundermine consumer confidence in using their credit cards to buythings on the Internet.