Customers of travel websites Expedia and its subsidiaries, Travelocity and Hotels.com, are being targeted by a new phishing scam. The alleged perpetrators have been contacting customers of the respective websites and posing as representatives of those companies, attempting to gain the customer’s personal information including credit card numbers. 

Both Travelocity and Expedia have contacted their customers warning them about “fraudulent emails and/or SMS messages that were sent by an individual posing as a representative of our company and of the unauthorized access by that individual of your name, phone number, email address and travel booking.” The messages made a point to state that credit card information was not compromised. The Security Affairs blog also reports that “Some users already notified to have received a phone call that informed them of a $2600 win towards trip, the hackers requested a valid credit card to check into the resort.”

GeekWire reports that the customer data was not stolen from Expedia or its subsidiaries but rather a third party hotel: “The data was stolen by a criminal who successfully phished a partner hotel and obtained that hotel’s login credentials, and subsequently stole names and other information about consumers who had used the Expedia system recently to book a stay at that hotel. The theft was limited to consumers who booked at that hotel.” 

Expedia is addressing the security failure by incorporating multi-factor authentication into its hotel bookings and promises to educate its travel partners regarding data security. 

Lavasoft’s Web Companion offers Phishing Protecting and helps you and your family avoid online scams and malicious websites. For cyber security tips for travelers, also see our post about Internet Safety Month.