Expedia warns users about ‘unauthorized access’ of name, phone, email and booking info

The email from Expedia
The email from Expedia

UPDATED: Third party blamed for unauthorized access.

Some Expedia.com customers are getting emails from the firm warning that a would-be criminal has obtained “unauthorized access … (to) your name, phone number, email address and travel booking.”

The details are being used in an attempt to trick customers into sharing even more personal information, the firm says.

I obtained a copy of the email from a source.

“Please note that credit card information was not compromised,” the email says.  The warning tells recipients that someone is using the information — apparently obtained somehow from Expedia — in an attempt to trick consumers into divulging payment information.

It then urges recipients not to click on any links in the messages “or comply with any requests for your personal data or credit card information.. do not transfer money to any bank account listed in this email and/or SMS message.”

Expedia confirmed the authenticity of the warning to me.

“We are aware of a scenario involving fraudulent communications to a proportion of consumers who have booked on our site from an individual claiming to represent our organization or the hotel at which they have booked a room,” wrote Ingrid Belobradic, an Expedia spokesperson, “We have investigated this phishing incident thoroughly, and impacted customers are being or have been notified and advised of any appropriate action they may need to take.”

UPDATE 5 p.m., 6/24/2015 – , Sarah Gavin, head of communications at Expedia, says the data was not stolen from Expedia, but rather a third party. The data was stolen by a criminal who successfully phished a partner hotel and obtained that hotel’s login credentials, and subsequently stole names and other information about consumers who had used the Expedia system recently to book a stay at that hotel.  The theft was limited to consumers who booked at that hotel, which she declined to identify. 

Expedia representatives have taken to Twitter in recent days to issue a few warnings about a phishing scam, though it is unclear those Tweets are related to this warning.

“Hi @Expedia, just got a weird automated message apparently from you guys, sounds like a scam asking for cc details,” wrote one consumer four days ago. In response, Expedia wrote, “We’re sorry to hear you were targeted by these phishing scam phone calls. ”

In another exchange a user who booked a trip recently was told he had won cash to be used towards a recent booking.

“Just got phone call winning $2600 towards trip,need valid credit card to check into resort.Wanted to let you know about this. SCAM?” wrote the user. Expedia’s response: “Phishing scam targeting Canadian and US residents. Our information security team has indicated that there has been no data…” The Tweet is cut off at that point.

It’s hardly the first time a large travel site like Expedia has been targeted by an email scam. But use of authentic personal information, such as details of a recent booking sent to consumers’ cell phone number or personal email, make a phishing attempt seem far more realistic — more like a spear phishing attack.

Expedia said it works continually to improve the security of its service.

“As an enhanced security measure, we have implemented a multi-factor authentication process in partnership with our hotel partners and have distributed various education mechanisms to our partners for further understanding of the sensitivity and importance of these type of fraudulent activities,” Belobradic said. “Our security team continually works to address situations such as this and is always focused on making sure our sites are as secure as possible.  We sincerely apologize for any inconvenience this incident may have caused.”



About Bob Sullivan 1218 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

4 Comments

  1. I have just been targeted by a phishing operation originating from Expedia. I successfully booked a hotel in Mendoza only to be contact d and told I needed to pay a further £100. I contacted customer service ( India I believe) and was told not to worry about it…just ignore it. The attitude was much too casual for my liking. Suspect third party involvement at Expedia?

  2. I am a long time customer of Expedia. I am receiving the message stating my “connection is not private and there may be hackers trying to use my information. I need to get on Expedia to book a vacation ( I ALWAYS use Expedia). How do I get this message off of so I can book my vacation? Thank you!

Leave a Reply

Your email address will not be published.


*