Computer Security category

Viator(dot)com Data Compromise: Are You Affected?

You may well be seeing an email appearing in your inbox from, a website designed to help you find tours and trips overseas with none of the typical messing about such tasks usually involve.

The emails have been sent out because it appears they had a breach and anything up to 1.4 million customers may have been potentially impacted by the compromise.

Some extracts:

We want to make you aware that Viator has experienced a data compromise that could potentially affect payment card data used to make bookings through Viator’s websites and mobile offerings. If you have created a Viator account, this compromise may also affect your email address, password and Viator “nickname.”

We have alerted the credit card companies and law enforcement, in addition to taking appropriate steps to secure our systems. We are writing to make you aware of the occurrence so that you can also monitor your accounts for any signs of unusual activity and take any other precautions you believe may be appropriate.

On 2 September 2014, we were informed by our credit card service provider that unauthorized charges had been made on a number of our customers’ credit cards. We have hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.

Although our investigation is continuing, we currently believe that some forms of your data may be affected by the compromise. This information includes encrypted credit or debit card number, along with card expiration date, name, billing address, email address and, if you have created a Viator account, the associated email address, encrypted password and Viator “nickname.” At this time, we have no reason to believe that the three or four digit number printed on the back or front of your card was compromised. Additionally, debit PIN numbers are not collected by Viator and therefore not affected.

The rest of the email describes how to sign up for 12 months complimentary ID theft protection services, advises customers to keep an eye on their credit card statements, says to change the last used Viator password and gives the following security tips:

* make sure your password is at least six characters in length * combine numbers and letters and don’t include commonly used words * include punctuation marks * mix capital and lowercase letters * try to use different passwords on different sites.

For what it’s worth, you should most definitely make your password a lot longer than six characters in length, and you should definitely use different characters on different sites all the time. A password manager will be able to assist with that one.

As for the above situation, the bad news is that the breach took place a good few weeks ago yet we’re only just hearing about it. The good news is that if you haven’t experienced a fraudulent transaction yet, you may be in the clear. Stolen payment data doesn’t tend to get stockpiled for too long because the people sitting on it know it’s only a matter of time before someone, somewhere notices and has the card cancelled. Check out the section on “Valid Rates” in this blog on carding by Brian Krebs, and his coverage of a stolen card dump fire sale from the Target breach.

Additionally, there doesn’t appear to have been a massive file posted online yet containing data such as PII related to the compromise – while that doesn’t mean there isn’t one, it’s a slim branch of hope to hold onto as we await more information on this latest high-profile attack.

Christopher Boyd


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.