1.4 million customers affected by data breach in TripAdvisor's Viator
Viator (which is Latin for “Traveller”), TripAdvisor’s website for tour-booking and reviews, is the recent victim of a data breach that resulted in the loss of data from 1.4 million customers, including email addresses, passwords, Viator nicknames and payment card data. Viator became aware of this incident in the 2nd of September and rushed to make an announcement regarding the security breach.
More details please?
Viator’s payment card service provider noticed that unauthorized charges were being made on their customers’ credit cards. This led to an investigation that shed light on the matter and was linked to the aforementioned data breach. About 880.000 customers have had their encrypted credit or debit card numbers, card expiration dates, names, billing addresses and email addresses compromised along with their Viator account information (email address, encrypted password and Viator nickname), whilst an additional 560.000 customers’ Viator nicknames, email addresses and encrypted passwords were compromised as well. This adds up to a total of 1.4 million customers affected, an astonishing number that comes to join other hacks that compromised massive accounts, such as the impressive CyberVor hack data theft in August, the Albertsons and SuperValu stores hack about a month ago, and the rumored J. P. Morgan hack just a few weeks ago (and those are just the most recent cases of stolen data; if we go back to the not-so-distant past we can see many other hacks as well, e.g. the eBay hack).
Viator announced in a press release the details about the stolen data, in which they stated:
“On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers' credit cards. We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.
While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise.”
Viator also said that debit card PIN numbers and the CVV numbers (3 or 4 digit numbers on the back of the card) were not exposed because they are not stored in the database.
What happens now?
Customers that are U.S. residents and have been affected by the data breach are offered free identity protection services (namely a one-year protection membership in Experian's ProtectMyID Alert for free), including credit card monitoring, and a similar solution is on the works for customers outside the United States.
Nevertheless, all affected customers should report fraudulent charges to their credit cards as soon as possible and also reset their passwords in the Viator site.
There are no details whatsoever about how the hackers managed to break into the company’s database and decrypted the encrypted sensitive information.
Customers expect from major websites to invest a big percentage of their resources in the security of their data; trust between the two sides is built upon assurance and not insecurity.