The travel website Viator, which TripAdvisor purchased last month for $200 million, recently acknowledged that a data breach may have exposed customer contact information, passwords and payment card data.
Viator was notified on September 2, 2014 by its payment card service provider that unauthorized charges had occurred on several of its customers’ credit cards.
“We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems,” the company said in a statement.
Approximately 880,000 customers’ encrypted credit or debit card numbers, card expiration dates, names, billing addresses and email addresses may have been exposed, along with some of those customers’ Viator “nicknames” and encrypted passwords.
An additional 560,000 customers’ Viator “nicknames,” email addresses and encrypted passwords may also have been exposed.
All affected customers are being advised to monitor their credit card statements for fraudulent activity, and are being offered a free one-year membership in Experian’s ProtectMyID Alert service.
All users are also being urged to reset their passwords at Viator, and to also do so on any other sites where they used the same login credentials.
The company says it’s taking the following steps in response to the breach:
- Applying additional security measures to protect our customers
- Working with leading security and forensics experts and with law enforcement to aggressively investigate the matter
- Reinforcing and improving our intrusion detection and prevention systems and firewalls
- Reinforcing and improving our security tools
- Reviewing and hardening our systems
- Eliminating the need to store payment card details in our system
Investor’s Business Daily notes that TripAdvisor’s stock price dropped by 4 percent earlier this week as news broke of the breach.
Dr. Mike Lloyd, CTO of RedSeal Networks, says it’s unfortunate that Viator is yet another example of a company that wasn’t aware of a data breach until it was alerted to it by a third party.
“Losing a fight is bad; not even knowing that you’re in one is worse,” Lloyd says.
Because the traditional business priority is “make it work,” not “make it easy to monitor,” Lloyd says, business infrastructure often gets too complicated too fast to keep the blueprints up to date. “And the result of this lack of visibility? Breaches happen without the responsible companies even knowing it has happened until the stolen information starts showing up on the black market.”
Still, Malwarebytes Labs malware intelligence analyst Chris Boyd says people who haven’t yet been hit by credit card fraud may be in the clear.
“Stolen payment data doesn’t tend to get stockpiled for too long because the people sitting on it know it’s only a matter of time before someone, somewhere notices and has the card cancelled,” Boyd noted in a blog post.