TripAdvisor’s Viator travel site data breach affecting 1.4 million customers

The travel site Viator, which was purchased by TripAdvisor for $200 million in 2014, disclosed last week that they had joined the hallowed halls of compromised websites. News of the compromise came to the company via their third party payment processor. Apparently credit cards were being used unbeknownst to the card owners. It is unclear how this attack took place and how the the data was exfiltrated. From Viator:

On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards. We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.

The company will be notifying 1.4 million customers. Of that number 880,000 are believed to have had their payment information compromised. A further 560,000 customers had their usernames and passwords accessed by unknown attackers. It was not stated as to how long this breach was in place or how they didn’t notice and had to be notified by a third party as to the underlying issue.  Now while I commend them for bringing this information forward in relatively short order I’m troubled that they have not reset all of their customer passwords. Instead they are recommending that customers change their passwords. Seems to be lacking some logic in the thought process.  They are taking the time to provide customers with credit monitoring services. So, be sure to change your password if you have not already done so. Be sure to let the company know that they should have locked all of these accounts. The proactive step would have been far better than hoping that customers will address the issue.