Travelocity.com is issuing apologies to each of the 15,000 contest entrants whose personal information was inadvertently listed this week on a link on its site.
The names, mailing addresses, and, in some cases, phone numbers and e-mail addresses of 15,000 individuals who had entered sweepstakes on the site from May to November were displayed following the transfer of servers from one location to another.
One server that had been partially used for internal work was put into a Web-serving facility, and Travelocity “did not do everything we should have to make sure all files were removed,” said Jim Mariscano, executive vice president of sales and service at Travelocity.
“Clearly, this is something we take very seriously and is very embarrassing. We're huge privacy advocates and talk about Internet security at every conference.”
No credit card information or member profile information was exposed. Customer profile data are encrypted in a secure database, Travelocity said.
While the incident is not a case of hacking, Travelocity is investigating how information about the link, which could not be easily viewed, came to light. The link was a “number of layers down,” Mariscano said, and most Net users would not recognize the information as a company database. “There was a certain set of circumstances that had to be present [for the information to be seen],” he added.
Travelocity executives talked with executives at a competing company that it thought might be involved.
“This company has the technological ability, but we were assured they were not involved,” Mariscano said.
Travelocity has data on who accessed the database and how many times they viewed it. Someone who viewed it contacted a reporter anonymously but did not notify Travelocity.
“We would have preferred that they let us know, but at least they let somebody know,” Mariscano said.
Within 15 minutes of the reporter notifying Travelocity, the file was deleted.
“No matter how good you think you are at what you do, if you do this enough times without constant vigilance, that's what happens,” Mariscano said.
Travelocity has not received complaints from contest entrants over the breach, but Mariscano said most are probably not aware that this happened.
