Last week, Travelocity.com Inc. basked in the glow of an announcement that it expects to be “at or close to profitability” by this year’s second quarter. Unfortunately, the online travel agency’s zipper was down, in the form of a privacy glitch that exposed the names and e-mail addresses of about 44,000 people.
Officials at Fort Worth, Texas-based Travelocity today confirmed that an encrypted file containing information about users who had entered various contests run by the company was inadvertently posted on its live Web site. The problem was brought to Travelocity’s attention last night, and the company is now sending apologies to the customers whose names and contact information was exposed.
Jim Marsicano, executive vice president of sales and service at Travelocity, said the problem originated last month when a server was moved from San Francisco to the company’s main data centre in Tulsa, Okla. The machine “had been allocated for in-house work and file storage [but] was inadvertently put into a production environment,” he said.
When the server went online, Marsicano added, a random link was created that made available a directory for the spreadsheet-based file, which hadn’t been scrubbed by IT workers at Travelocity. No credit card numbers or transaction data was included in the file, according to Marsicano. But he said the glitch was “horribly embarrassing and not the way we should be running our business.”
It also came at an inopportune time, just days after Travelocity announced that its projected timetable for becoming profitable would be moved up six months — an announcement that had analysts touting the company as one of the Internet’s top success stories (see story). Travelocity last Wednesday also said it expects to be profitable for this year as a whole.
Analysts who follow the travel industry said the privacy problem probably won’t slow down Travelocity’s drive toward profitability, but they added that the data exposure was a serious gaffe for the most heavily used online travel site.
Travelocity “should probably do an audit of their safety and security procedures,” said Henry Harteveldt, an analyst at Forrester Research Inc. in Cambridge, Mass. He added that archrival Expedia Inc. in Bellevue, Wash., took that step last summer, when it went through an outside security audit and issued a pledge of complete confidentiality to its users.
David Provost, an analyst at Gomez Advisors Inc. in Waltham, Mass., said he seconds the notion that “some sort of third-party validation of their practices” might be in order for Travelocity in the wake of this incident.
Marsicano said it’s too early to determine what steps could have helped head off the data exposure, but he added that Travelocity definitely plans to tighten its IT checklist when system migrations take place. The company already has departmental ombudsmen in place, but that process failed to catch the error. “The truth of this is [that] this is just a result of human frailty,” Marsicano said.
Since being alerted to the problem, Travelocity has also been checking its system to see who viewed the exposed file. Marsicano said the company’s current belief is that the information didn’t fall into the hands of any group or persons who might misuse it. “We know exactly who viewed the pages, and we’re in the process of contacting the folks involved,” he said.