Some Expedia.com customers are getting emails from the travel giant warning that a would-be criminal has obtained “unauthorized access … (to) your name, phone number, email address and travel booking.”
The details are being used in an attempt to trick customers into sharing even more personal information, the company says.
I obtained a copy of the email from a source.
“Please note that credit card information was not compromised,” the email says. The warning tells recipients that someone is using the information — apparently obtained somehow from Expedia — in an attempt to trick consumers into divulging payment information.
It then urges recipients not to click on any links in the messages “or comply with any requests for your personal data or credit card information.. do not transfer money to any bank account listed in this email and/or SMS message.”
Expedia confirmed the authenticity of the warning to me.
“We are aware of a scenario involving fraudulent communications to a proportion of consumers who have booked on our site from an individual claiming to represent our organization or the hotel at which they have booked a room,” wrote Ingrid Belobradic, an Expedia spokesperson, “We have investigated this phishing incident thoroughly, and impacted customers are being or have been notified and advised of any appropriate action they may need to take.”
It is not clear how the individual obtained the users’ personal information to send out the phishing emails in the first place. Expedia did not provide additional detail and didn’t answer a specific question about how the attacker got access to users’ contact and booking information.
UPDATE 2 p.m., 6/24/2015: Sarah Gavin, head of communications at Expedia, says the data was not stolen from Expedia, but rather a third party. The data was stolen by a criminal who successfully phished a partner hotel and obtained that hotel’s login credentials, and subsequently stole names and other information about consumers who had used the Expedia system recently to book a stay at that hotel. The theft was limited to consumers who booked at that hotel, which she declined to identify.
Representatives of Bellevue-based Expedia have taken to Twitter in recent days to issue a few warnings about a phishing scam, though it is unclear those Tweets are related to this warning.
“Hi @Expedia, just got a weird automated message apparently from you guys, sounds like a scam asking for cc details,” wrote one consumer four days ago. In response, Expedia wrote, “We’re sorry to hear you were targeted by these phishing scam phone calls. ”
In another exchange a user who booked a trip recently was told he had won cash to be used towards a recent booking.
“Just got phone call winning $2600 towards trip,need valid credit card to check into resort.Wanted to let you know about this. SCAM?” wrote the user. Expedia’s response: “Phishing scam targeting Canadian and US residents. Our information security team has indicated that there has been no data…” The Tweet is cut off at that point.
It’s hardly the first time a large travel site like Expedia has been targeted by an email scam. But use of authentic personal information, such as details of a recent booking sent to consumers’ cell phone number or personal email, make a phishing attempt seem far more realistic — more like a spear phishing attack.
Expedia said it works continually to improve the security of its service.
“As an enhanced security measure, we have implemented a multi-factor authentication process in partnership with our hotel partners and have distributed various education mechanisms to our partners for further understanding of the sensitivity and importance of these type of fraudulent activities,” Belobradic said. “Our security team continually works to address situations such as this and is always focused on making sure our sites are as secure as possible. We sincerely apologize for any inconvenience this incident may have caused.”