TripAdvisor has warned users that its member email list has been compromised.
In an email to users, TripAdvisor co-founder and CEO Steve Kaufer said that it had discovered that an unauthorised third party had stolen ‘part' of the email list, and had confirmed the source of the vulnerability and shut it down.
“We're taking this incident very seriously and are actively pursuing the matter with law enforcement. How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident,” he said.
“The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries and we take it extremely seriously.
“I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list. We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologise for this incident and appreciate your membership in our travel community.”
Ross Brewer, vice president and managing director of international markets at LogRhythm, said: “It's the regularity of these types of incident that suggest traditional approaches to IT security are no longer fit for purpose.
“Worryingly for TripAdvisor, consumers take a very dim view of companies that are lax with their data. A survey conducted by OnePoll in November 2010 found that around two-thirds of UK consumers would try to avoid interacting with firms which are known to have lost confidential information.”
Paul Vlissidis, technical director at NGS Secure, part of NCC Group, said: “Even though no passwords appear to have been stolen most people will not cheer at the prospect of even more spam. Obviously investigations will have to proceed and unfortunately, there does seem to be a spate of these incidents surfacing at the moment.
“While people can change passwords between websites, many often solely rely on just the one email address so breaches like this are extremely annoying. Individuals place trust in sharing their data via a website and this trust is often linked to the brand. Well known brands, such as this, being hacked undermines that trust. We would advise all users to take some responsibility for their own security, irrespective of the branded sites they use.”
Russell Poole, security director at 2e2, said: “The reality is that criminals are increasing both the volume and sophistication of their attacks. This breach highlights the vital importance of having multiple layers of security that are properly configured.
“Security is always high on the agenda of most companies, but the reality is the fight against criminals is getting harder and so organisations must ensure they are continually reviewing and improving their security processes, procedures and tools.”
Aziz Maakaroun, business development director at Outpost24, said: “This data breach is highly embarrassing for TripAdvisor, not to mention very worrying for their customers. In a period when people are looking to book their summer holidays, this attack could not have come at a worse time for a travel company.
“Thankfully the attackers seem to have only been able to steal the company's emailing list, rather than more valuable customer details. Coming hot on the heels of the Play.com breach, this attack goes to show that organisations simply aren't doing enough to safeguard customer information.”