TripAdvisor’s Viator Data Breach Affects 1.4 Million Customers

September 26, 2014         By: Matt Turner

Approximately 880,000 users of TripAdvisor’s Viator service had their credit card information stolen as a result of a data breach where 1.4 million subscribers information was accessed.

Viator, which was acquired by TripAdvisor earlier this summer for $200 million, says they were notified that unauthorized charges were appearing on their users’ cards.

Among the information stolen from the subscribers were their encrypted credit and debit card numbers, card expiration dates, billing addresses, e-mail addresses, and their names. An additional 560,000 subscribers may have had only their usernames and passwords stolen.

In a statement, Viator said, “On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards. We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”

For those in the U.S. who have had their information compromised, Viator is offering a one-year membership of Experian’s ProtectMyId Alert, an identity theft protection service. They are looking into similar protection for their out-of-country subscribers.

Viator is strongly suggesting to their subscribers to change their passwords on any site where they used the same security credentials.

Due to the incident, TripAdvisor’s stock dropped 4 percent this week, according to Investor’s Business Daily.

TripAdvisor, however, is fortunate since the breach accessed only Viator’s users’ information and not everyone that uses the site. The two, while under one roof now, operate on entirely different systems “with different design and security attributes, and with no overlap,” a TripAdvisor spokesperson said.

In order to prevent similar situations in the future, Viator said they will apply additional security measures, work with security and forensics experts to investigate the matter, reinforce and improve their intrusion detection and prevention systems and firewalls, and eliminate the need to store payment card details in their system.