Viator was acquired by TripAdvisor, the world's largest travel site, for £122 million (US$ 200 million) last month – and TripAdvisor saw its NASDAQ shares slump 4 percent after the breach was disclosed, though they partially recovered later.
US-based Viator - which has a regional office in London - admitted late on Friday that criminals have hacked into some of its customers' payment card accounts and made unauthorised charges.
The breach was found in the bookings made through Viator's websites and mobile apps which run on Apple and Android devices.
Viator was first told of the hack by its payment card service provider on 2 September – more than two weeks before it went public. It has called in digital forensic experts and the police.
The company said: “While our investigation is ongoing, we are in the process of notifying approximately 1.4 million Viator customers who had some form of information potentially affected by the compromise.”
Viator says around 880,000 customers may have lost their payment card information – including encrypted credit or debit card numbers, card expiration date, name, billing and email addresses.
These customers may also have had their Viator account information stolen, which includes their email address, encrypted password and Viator ‘nickname'.
Another 560,000 customers may have lost this account information.
Viator's investigation into the breach is continuing. “We have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems,” the company said.
It has warned all affected customers to monitor their card activity and report any fraudulent charges to their card company.
“Customers will not be responsible for fraudulent charges to their accounts if they are reported in a timely manner,” Viator said.
The company is also pushing customers to reset their passwords for its site, and anywhere else the password is used.
It added: “We have no reason to believe at this time that the three or four-digit code printed at the back or front of customers' cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised.”
Viator is also making extra provision for US customers, though not yet for those in the UK.
It said: “We are offering free identity protection services, including credit monitoring, for our customers in the US. We continue to explore whether there are appropriate comparable options for our customers outside the US who may have been affected by this compromise.”
Viator offers travel tours and attractions in 1,500 destinations. When it was acquired last month TripAdvisor CEO Stephen Kaufer said: "Viator will be a great addition to the TripAdvisor family, as online and mobile bookings for attractions and activities represents a huge opportunity for our business."
But Viator has become the latest in a long line of payment card breaches, including US retailers Target and Home Depot.
Security experts have pointed out that one saving grace is its customer passwords were encrypted, but have criticised Viator's delay in making the breach public.
Chris Boyd, malware intelligence analyst at Malwarebytes, told journalists via email: "It's unfortunate that this latest data breach has taken more than two weeks to come to light.”
Keith Bird, UK managing director at security specialist Check Point, told SCMagazineUK.com by email: “It would appear that an online database used for storing Viator customer details has been hacked in this attack. It is encouraging that Viator has confirmed that some of the customer data stolen, including credit card information and passwords, were encrypted as this provides at least some level of information protection.”
Boyd added: “Those customers who are eligible for the free ID monitoring services should take advantage of the offer and keep an eye on their statements.
“As time goes on, the ‘valid rate' of any card dump – the best-guess percentage of cards which will work versus those already cancelled – will continue to dwindle.”
He said that as customers' three or four digit card codes were not leaked, “it may be a good idea for potential victims to ensure their online logins are secure and not tied to one password while they wait for more information to emerge.
“As a general rule, customers should always use passwords a lot longer than the suggested minimum of six characters and get into the habit of using password managers to ensure they're not falling into the trap of password re-use.”
Bird said that the Viator and other recent breaches “highlight the need for organisations to implement robust, multi-layered defences to protect the data they hold against web threats”.
Mark Bower, VP at Voltage Security, told journalists that online businesses handling large volumes of sensitive data are always at risk. Even if they encrypt their disks or servers “it does not reduce the threat of advanced malware capable of stealing live data from active systems”.
Bower said: “Organisations need to look beyond basic compliance to more contemporary data-centric defence strategies to secure all personal and sensitive data including credit card details. Otherwise they will eventually be another breach victim at the expense of their customers.
“The good news is data-centric security can be implemented quickly with much more attractive economics than dealing with the cost of a breach, even in e-commerce ecosystems as in this case.”
Techworm has reported that TripAdvisor spokesperson Kevin Carter has said TripAdvisor customers have not been affected by the breach, explaining. “Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap.”