On March 2, 2022, Expedia Group, Inc. disclosed a data breach that occurred on March 24, 2021, impacting three individuals whose credit card information was potentially compromised. The incident was categorized under the type 'Other' in the breach classification. While the scale of the breach was limited—affecting only a small number of customers—Expedia responded by offering 12 months of identity theft protection services through its Expedia IdentityWorks program to mitigate potential risks. The breach did not involve large-scale data exfiltration, systemic financial fraud, or broader reputational damage beyond the immediate notification and remediation efforts. No evidence suggested the compromised data was used for fraudulent activities, and the company’s operational continuity remained unaffected. The incident primarily highlighted vulnerabilities in payment data security, though the impact was confined to a minimal subset of users without escalating into wider systemic consequences.

Orbitz, a subsidiary of online travel agency Expedia Inc EXPE.O, said hackers may have accessed personal information from about 880,000 payment cards. The breach had occurred between Jan. 1, 2016 and Dec. 22, 2017 for its partner platform and between Jan. 1, 2016, and June 22, 2016, for its consumer platform. Information such as names, phone numbers, email and billing addresses have been accessed. For U.S. customers, social security numbers were not involved in this incident, the company said. The company said it has addressed the breach after it was discovered in March this year. Credit card issuer American Express Co AXP.N said in a statement that the attack did not compromise its platforms. Expedia’s shares fell as much as 1.9 percent to $108.99.