On November 22, Travelocity notified the Maryland Attorney General’s Office of a breach they first learned about on February 21.
According to their letter, on that date they discovered that “over the previous several months, several employees of a Travelocity service provider had misused certain information to which they had access as part of performing services for us.” The information they misused was customers’ names and payment card numbers.
Although Travelocity contacted law enforcement and began investigating immediately, they delayed notification at the FBI’s request so as not to interfere with the criminal investigation.
The employees involved in the wrongdoing have been terminated by the unnamed service provider, and Travelocity has offered those affected free credit monitoring services.
You can read their notification letter here (pdf). Six Maryland residents were notified, but the total number affected was not disclosed. The same notification was filed with New Hampshire’s Attorney General, however, where three residents were affected.