Travel website Viator.com is in the middle of notifying approximately 1.4 million of its customers that their personal information – payment card data included – may have been compromised.
The San Francisco-based company, which specializes in expert curated travel suggestions, announced the breach late last week, more than two weeks after it claims it was informed by its payment card service provider that unauthorized charges had occurred on a number of its customers’ credit cards.
“We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems,” the company claimed in a press release.
The company believes that 560,000 of the site’s users may have had their email address, encrypted password and Viator “nickname” compromised in the breach.
On top of that, it’s also warning that a higher number of customers, 880,000, may have had payment card information – their encrypted credit or debit card number, the expiration date, the name, billing and email address – all stolen, in addition to the aforementioned information.
Viator is trying to assuage customers’ fears by insisting that the three or four digit security codes that appear on cards, in addition to any PIN numbers associated with debit cards, were not implicated in the breach.
As is to be expected with breaches of this magnitude, Viator is promising its customers free credit monitoring but is stressing its members to reset passwords and monitor their card activity.
The fact that this breach apparently happened at the beginning of the month, yet the public and customers are just finding out about it now is cause for concern, according to experts.
“The bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it,” Chris Boyd, a malware intelligence analyst at Malwarebytes Labs. “The good news is that if you haven’t experienced a fraudulent transaction yet, you may be in the clear. Stolen payment data doesn’t tend to get stockpiled for too long because the people sitting on it know it’s only a matter of time before someone, somewhere notices and has the card cancelled.”
Viator offers users travel suggestions and gives them the option to purchase day trip, tour and dinner vouchers directly through them. The site was purchased by the popular travel review site TripAdvisor, for $200 million over the summer.
Viator didn’t immediately reply to a request for comment Wednesday and failed to divulge in its release exactly how or how long it’s users had their information compromised but did acknowledge that anyone who used a payment card to make bookings or created a Viator account, either on its website or its mobile app, could be at risk.
