Payment card and personal information of approximately 1.4 million Viator.com customers may have been compromised in a breach that was confirmed late last Friday.
The popular travel and tours provider has begun notifying customers of the breach.
880,000 customers may have had their payment card information (encrypted credit or debit card number, card expiration date, name, billing address and email address) and possibly their Viator account information (email address, encrypted password and Viator “nickname”) compromised.
“We have no reason to believe at this time that the three or four digit code printed at the back or front of customers’ cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised”, the company made sure to note in the notice. Unfortunately, they didn’t go into detail about the encryption used to protect the payment card information.
Additionally, some 560,000 customers may have had their account information compromised.
Not much is currently known about how the breach happened.
“On September 2, we were informed by our payment card service provider that unauthorized charges occurred on a number of our customers’ credit cards,” the company simply stated. “We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”
They advised all affected customers to monitor their card activity and report any fraudulent charges to their credit card company, and are offering free identity protection services for our customers in the US. Those outside the US might receive similar services once the company finds “appropriate comparable options.”
All customers are advised to change their Viator passwords, as well as the passwords on other sites where they used the same one.
Viator has been acquired by Tripadvisor this August, but the company spokesperson Kevin Carter assured that Tripadvisor customers have not been affected by the breach: “Viator and TripAdvisor are operated on separate systems with different design and security attributes, and with no overlap.”