14 DAY TRIAL // The computer systems of Viator, a TripAdvisor-owned website that offers tour-booking services for worldwide destinations, have been compromised and the incident exposed payment card information of 880,000 customers, fraudulent transactions occurring in the case of some of them.
The total number of customers affected by the incident is much higher, reaching 1.440 million, as the perpetrators also accessed Viator account details in the case of 560,000 clients.
The breach was made known to the company on September 2, and late last week, on September 19, an announcement was published informing users of the data compromise.
Payment details impacted
Viator discovered the breach after their payment card service provider informed them that unauthorized charges were recorded for the credit cards of some of their customers.
Following an investigation carried out by a team of forensic experts, the company determined that about 880,000 clients might have their payment card information compromised. This includes credit or debit card number, expiration date, name, billing and email addresses.
Fortunately, Viator saved the card numbers in an encrypted form, although there are no details about the encryption algorithm used.
Chris Boyd, malware intelligence analyst at Malwarebytes Labs, said via email that “if you haven’t experienced a fraudulent transaction yet, you may be in the clear. Stolen payment data doesn’t tend to get stockpiled for too long because the people sitting on it know it’s only a matter of time before someone, somewhere notices and has the card cancelled.”
Viator account info of 560,000 customers may have been exposed, too
Web account details of more than half a million visitors of the website were also affected during the incident, as the company started to notify them that their email address, nickname and encrypted password may have been accessed without authorization by an unknown party.
Users are advised to change their passwords on Viator and other websites, if the same one is used, to protect from illegal access to their account.
On the same note, the company recommends monitoring the card activity and report fraudulent transactions to their credit card company. “Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” the data breach disclosure says.
Boyd said that there isn’t evidence of a large database containing personally identifiable information being posted online, but this does not mean that it does not exist. “There doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise - while that doesn’t mean there isn’t one, it’s a slim branch of hope to hold onto as we await more information on this latest high-profile attack,” he stated.