Viator data breach could affect 1.4 million customers

Customers of TripAdvisor-owned Viator could have had their payment card information stolen and account data swiped

Viator, the tour-booking and review website owned by TripAdvisor, has been struck by a data breach that could have affected 1.4 million Viator customers.

The company said that customers' payment card data used to make bookings through Viator's website and app could be affected and that Viator account holders could have their email address, password and Viator "nickname" associated with the account all compromised.

Viator claimed that it was informed by its payment card service provider on September 2 that unauthorised charges occurred on a number of Viator customers' credit cards.

The tour-booking company said that it had hired forensic experts, notified law enforcement and is undertaking its own investigation into the incident to identify how its systems had been impacted.

It said that it is notifying approximately 880,000 customers that it believes may have had their payment card information, including encrypted credit or debit card number, card expiration date, name, billing address and email address, as well as Viator account information compromised.

"We have no reason to believe at this time that the three or four digit code printed at the back or front of customers' cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised," the company said.

In addition, the company is notifying about 560,000 customers whose Viator account information may have been affected.

Viator recommends all affected customers to monitor their card activity and report any fraudulent charges to their credit card company. It also suggests that members reset their Viator password as well as passwords on other accounts which are the same.

For US customers, the firm said it would offer free identity protection services including credit monitoring, while it "continues to explore" whether there are appropriate similar options for non-US customers that have been affected.

Mark Bower, VP at Voltage Security, emphasised that meeting basic compliance in areas such as PCI DSS does not necessarily protect a company from breach risks.

"Given today's advanced threat landscape, organisations need to look beyond basic compliance to more contemporary data-centric defence strategies to secure all personal and sensitive data including credit card details. Otherwise they will eventually be another breach victim at the expense of their customers," he said.