Up To 1.4m Viator Users Have Passwords And Credit Card Details Stolen

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Follow on: Google +

Viator warns customers about data breach two weeks after it happened

Online travel booking and review website Viator has warned 1.4 million of its customers that their account details and credit card information could have been compromised by a recent data breach, of which it was made aware of on 2 September.

The company, recently acquired by TripAdvisor, says it was informed by its payment card provider that unauthorised charges had occurred on a number of customer credit cards and immediately launched an investigation.

It says it hired forensic experts, notified law enforcement agencies and worked to secure its systems before telling users about the breach on 19 September.

Viator data breach

Internet Theft © davidevison - Fotolia“Viator is making customers aware that we have experienced a data compromise that could potentially affect payment card data used to make bookings through Viator’s websites and mobile offerings,” the company said in a statement. “For those customers who created a Viator account, this compromise may also affect the email address, password and Viator “nickname” associated with the account.

“Protecting the security of our customer information is paramount, and we are taking immediate steps to investigate and determine the full scope of the compromise. We deeply regret any inconvenience this may cause.”

Up to 880,000 may have had their card information and personal details compromised, but there is no suggestion that the three or four digit CVV numbers on the rear of the card have been stolen. A further 560,000 may have had their login details stolen.

Appropriate measures

Viator recommends users change their password for the site, as well as any others using the same credentials, and to monitor their card activity. It says customers will not be charged if they report any fraud within a reasonable amount of time. Free identity protection services will be offered to US users and the company is also investigating the possibility of offering similar services to customers outside the country.

“It’s unfortunate that this latest data breach has taken more than two weeks to come to light,” says Chris Boyd, malware intelligence analyst at Malwarebytes. “Those who are eligible for the free ID monitoring services should take advantage of the offer and keep an eye on their statements. As time goes on, the “valid rate” of any card dump – the best guess percentage of cards which will work versus those already cancelled – will continue to dwindle.

“As Viator have stated they believe the CVV for cards was not collected, it may be a good idea for potential victims to ensure their online logins are secure and not tied to one password while they wait for more information to emerge. As a general rule, customers should always use passwords a lot longer than the suggested minimum of six characters and get into the habit of using password managers to ensure they’re not falling into the trap of password reuse.”

Massive data breaches have impacted a number of US retailers in recent months, with 40 million customers impacted by an attack on Target in 2013. It is believed a recent breach at The Home Depot was even bigger, affecting as many as 56 million people.

What do you know about Internet security? Find out with our quiz!