DALLAS – Online travel agency Travelocity.com Inc. acknowledged Tuesday that personal information about some customers was read by some visitors to its website.
The breach exposed the names, addresses, phone numbers and e-mail addresses of about 45,000 Travelocity customers, said officials of the Fort Worth-based company.
Jim Marsicano, Travelocity’s executive vice president of sales and service, said the information was stored on a back-office server that was put into use on the company’s website. The customer information should have been deleted first, but wasn’t, he said.
“It was not a case of hacking. It was a case of something being left where it shouldn’t have been left,” Marsicano said.
The breach affected customers who entered contests on Travelocity’s website last year by submitting online forms that asked for some personal information. Marsicano said that customer’s credit card information was never exposed, however.
By clicking on an advertisement on Travelocity’s site, users connected to a page of text written in the Web-page language of html. From there, it was possible for someone familiar with html to reach a Microsoft Excel spreadsheet without a password that contained the information about contest entrants, Travelocity officials said.
Travelocity was alerted to the breach late Monday by CNet Networks Inc., a San Francisco-based technology news service. CNet reported that it was tipped about the breach by an executive of an Internet-commerce company.
Marsicano said all the people who found the spreadsheet work at the same place, but he declined to identify the company.
Marsicano said Travelocity customers whose information was on the compromised spreadsheet are being notified by e-mail.
Travelocity officials went to great lengths to draw a distinction between their breach and a series of recent hacking incidents at Internet retailers, some of which exposed customers’ credit-card information.