Online travel firm Orbitz has revealed details of a “data security incident” which may have revealed detailed personal information on hundreds of thousands of its customers.

The breach occurred when hackers accessed a legacy version of Orbitz’s booking platform. Though the hackers didn’t manage to get their hands on passport numbers and travel itineraries, they did manage to uncover a whole cache of meaningful personal data, including full names, payment card details, dates of birth, email addresses, physical addresses, billing addresses, phone numbers and even genders.

It’s thought some 880,000 accounts were impacted, with the hack taking place during the period of 1 October and 22 December 2017.

Anyone who made a purchase on the Orbitz platform in the first half of 2016, or who used “certain partners” between most of 2016 and 2017, were affected. These ‘certain partners’ is possibly the biggest worry for consumers, as it involves finance giant American Express. Amex Global Business Travel relies on the Orbitz network, meaning these customers could have been affected without realising – if they’re unaware of the Amex-Orbitz link.

This link shines a light on cyber security and shows just how vigilant companies need to be – not only in protecting their own customers’ data, but also thoroughly vetting potential business partners, to protect against these instances. After all, though American Express wasn’t targeted and none of its systems were breached, it will be guilty by association in the eyes of many consumers.

In light of the attack, Orbitz has set up a dedicated web page to provide its customers with all the information the company has on what happened, and to advise on next steps. In it, Orbitz says to its consumers: “We encourage you to remain vigilant, review your account statements, and monitor your credit reports.”

By way of compensation, it is also offering affected customers one year of complimentary credit monitoring and identity protection service (in countries where available).