Pennsylvania Attorney General Josh Shapiro announced a $110,000 settlement with the traveling websites Orbtiz and Expedia after a data breach that put the credit card information of almost 21,000 state residents at risk.

Shapiro lead an investigation into the data breach that discovered a hacker was able to add malware to steal credit card payment information. The breach was revealed in March 2018 after an Orbitz business partner notified the company, which is operated by Expedia, of fraudulent transactions using customers’ credit cards. A total of 20,755 Pennsylvania customers had their credit card information exposed with about 880,000 credit cards breached globally.

“Just like that, someone broke into Orbitz’s IT system and vacationed in what was supposed to be a safe place for travelers,” Shapiro said. “The breach showed the company’s promise to keep customer information secure was more like a leaky boat.

“We work every day to protect Pennsylvania consumers and to seek justice when any company misrepresents itself.”

In the settlement, Orbitz and Expedia will pay $110,000 with $80,000 of that cost in a civil penalty. The websites also have to increase their security practices, including developing a safeguard operating plan, conducting annual risk assessments and integrating a comprehensive information security program.