Travel website Viator suffered a compromise of payment card data on 2 September, 2014, and confirmed that some customer credit cards had been used for fraudulent purposes.
In a statement issued on 19 September, Viator (a subsidiary of TripAdvisor) warned users who have created a Viator account that their payment card details, email address, password, and Viator "nickname" may be compromised.
Viator said it is notifying "approximately 1.4 million Viator customers, who had some form of information potentially affected by the compromise."
Approximately 880,000 customers had their payment card information (encrypted credit or debit card number, card expiration date, name, billing address and email address), and possibly their Viator account information (email address, encrypted password and Viator "nickname") compromised.
Viator said that at this stage they have no reason to believe customer's card security codes had been compromised (the three or four digit code printed at the back or front of cards). The company also said that debit PIN numbers are not collected by Viator and could therefore not be compromised.
Viator is also notifying approximately 560,000 customers whose Viator account information may have been affected (email address, encrypted password and Viator "nickname").
"The protection of our customers' personal information is of paramount concern. Viator is dedicating all the resources necessary to investigate and resolve this incident. We are continuously working to strengthen our security measures to help minimise the potential for incidents of this nature in the future," Viator stated.
The website admitted that its investigation is still ongoing, and it first became aware of the issue after its payment card service provider found that unauthorised charges occurred on a number of its customers' credit cards.
"We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems," said the company.
In the meantime, Viator said that it is applying additional security measures to protect customers, reinforcing and improving its intrusion detection, prevention systems, firewalls and security tools, and reviewing and hardening its systems. It also said that it is eliminating the need to store payment card details in its system.
Mark Bower, vice president of Voltage Security VP, said: "According to the breach reports, credit card data, and other personal data was also compromised and exposed from e-commerce and mobile related applications. Security requirements in PCI DSS require basic protection of card data, but meeting compliance does not protect a company from breach risks.
"Given today's advanced threat landscape, organisations need look beyond basic compliance to more contemporary data-centric defense strategies to secure all personal and sensitive data including credit card details. Otherwise they will eventually be another breach victim at the expense of their customers. The good news is data-centric security can be implemented quickly with much more attractive economics than dealing with the cost of a breach, even in e-commerce ecosystems as in this case."
Dan Raywood is the editor of IT Security Guru.