Be Careful with Legacy Systems

The popular travel site Orbitz recently announced that a hacker may have stolen the private information of up to 880,000 of their customers over the course of two years. While data breaches at major organizations like this are nothing new (and have become far too common in recent years), the method through which this attack was carried out should give all organizations a moment of pause and lead to some serious internal analysis.

What Happened?

In a statement released to the press, Orbitz singled out an old “legacy travel booking platform,” as the source of the breach. A legacy platform is a common term for any system or software still employed at an organization despite the fact it is likely out of date. Indeed, the “legacy” in the name means that other, more current systems have been built off of the backs of these particular systems.

As Orbitz noted, “We determined on March 1, 2018, that there was evidence suggesting that an attacker may have accessed personal information stored on this consumer and business partner platform. We took immediate steps to investigate the incident and enhance security and monitoring of the affected platform.”

The stolen information potentially includes the full name, birth date, address and credit card details of customers who used Orbitz between “Jan. 1, 2016, through June 22, 2016; and Oct. 1, 2017, to Dec. 22, 2017,” though they note they see no signs that the information was directly taken from this legacy platform.

What Does This Mean?

There are many reasons to stick with a legacy platform, from the simple cost associated with upgrading to the difficulty of migrating data to a new platform. Unfortunately, none of these reasons are likely to mean much to your angry customers once you’ve suffered a breach.

Updating these platforms and keeping a close eye on them should be a 24/7 job. Just think about this; do you leave your most valuable possessions out on the lawn all day and night, or do you keep them safely locked inside your house — perhaps even behind a vault —instead? By relying on older systems without the proper monitoring and security, you’re basically leaving the door open for cyber criminals to come in and make off with your data.

Orbitz has since corrected this vulnerability and enhanced their security, but this simply isn’t a scenario your organization should ever be in. Your weak points need to be properly evaluated now, if they haven’t already; once you’ve identified your weaknesses, corrective security measures should be put in place.

BAI Security’s Managed Security Services, powered by AlienVault®, allow you to identify vulnerabilities in your network and immediately remediate them. If a legacy platform were to be attacked, you would immediately know about it. Receiving valuable information like this quickly can have a tremendous impact on your organization.

Consistently monitoring your legacy platforms after updates are no longer provided is a must. Learn from the mistakes of others and avoid their unfortunate outcomes.

Posted in BAI Security Blog and tagged , , , , , .