Last week’s announcement by Viator is a reminder about the perils of payment processing. The online tours and activities platform revealed that a data compromise occurred in early September, affecting 1.4 million people.
Not all of those affected had any payment processing information stolen – 560,000 were left vulnerable by a breach in security surrounding usernames, nicknames and passwords. Those customers that used the same password for multiple sites were most affected by this potential dissemination of secure information.
More worrisome are the 880,000 customers that had some sort of payment information stolen in the breach. From Viator’s announcement, this information included:
“…encrypted credit or debit card number, card expiration date, name, billing address and email address…We have no reason to believe at this time that the three or four digit code printed at the back or front of customers’ cards were compromised. Additionally, debit PIN numbers are not collected by Viator and could therefore not be compromised.”
A reminder again that brands should not be storing the CVV code in any sort of system. Proper PCI-compliant techniques would be to never store that specific information anywhere whatsoever. Of course, a hacker that has inserted into the transmission of that number from customer to company could still glean this information. Nonetheless, it’s vital to consider each touch point as a card moves through the system.
Another item to remember is that many payment processors provide PCI-compliance verification services, and some even offer data breach security. Insurance agents can also help determine a business’ potential liability for a breach, so consider multiple options to thoroughly protect the business itself in the event of a breach.
Viator has hired forensic experts to help determine the source of the breach and has offered free credit monitoring and fraud protection to affected customers in the United States, while seeking comparable solutions to anyone impacted outside of the US.
TripAdvisor says the breach was limited to its Viator group – which was acquired earlier this year for around $200 million. This separation has not protected the parent company’s stock; TRIP is down nearly 5 percent today.
NB: Hacker wants you image courtesy Shutterstock.