1.4 million customers data of Viator.com compromisedCVV not breachedInvestigations into the breachParent Company TripAdvisor Comments
Founded in 1995, Viator is a TripAdvisor company which is headquartered in San Francisco with regional offices in Sydney, London and Las Vegas. It is a leading global resource to discover and book travel activities, providing online and mobile access to thousands of curated trip activities including tours, attractions, shore excursions and private guides, in more than 1,500 destinations worldwide. It also has Viator Tours and Activities App for iPhone, iPad, iPod touch and Android, as well as local-language sites for European, Latin American and Asian travelers. As per the note issued by Viator.com payment card and personal information of approximately 1.4 million Viator.com customers may have been compromised in a breach. The company also said that around 880,000 customers of its customers may have had their payment card information like encrypted credit or debit card number, card expiration date, name, billing address and email address and possibly their Viator account information like login email address, encrypted password and Viator “nickname” compromised.
CVV not breached
If its of any solace to the Viator.com customers, Viator said that though the credit card number have been compromised, they believe that the CVV number which a three or four number code printed on back of the customer’s credit card may not have breached. “We have no reason to believe at this time that the three or four digit code printed at the back or front of customers’ cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised”, the company made sure to note in the notice. Unfortunately, they didn’t go into detail about the encryption used to protect the payment card information. In addition to the above 880,000 customers payment card information, the hackers also managed to get the account (login id, encrypted password and Viator nickname) information of around 560,000 customers has also been breached. This takes the number of total customers, whose information may be in criminal hands, to 144,000 forming the bulk of its customers.
Investigations into the breach
As of now nothing much is known about how the breach happened. Viator noted in the blog that, “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” the company simply stated. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.” The law enforcement agencies are now trying to identify how Viator.com servers were breached. In the meantime, Viator has advised all affected customers to monitor their card activity and report any fraudulent charges to their credit card company. As is the norm with data breaches now a days, Viator.com will be offering free identity protection services for customers ONLY in the US. Viator stated that, those outside the US might receive similar services once the company finds “appropriate comparable options.”
Parent Company TripAdvisor Comments
Viator parent, the $944.7 million turnover company, TripAdvisor spokesperson Kevin Carter assured that Tripadvisor customers have not been affected by the breach, he said “Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap.” Techworm requests all Viator customers to change their Viator passwords ASAP and follow a strict different passwords for different websites policy. If possible it is advised to use a sound Password Management Systems in view of the different breaches that have been reported lately. Update : This post got featured on several financial pages including Stocktwits.com and shares of the Viator parent, TripAdvisor ($TRIP) which was trading at $98.37 at 8.15 am EDT plummeted 5% to $93.28 at 11.15 am EDT.