Cyber Incident Victim: Viator
Date:
Sep 2014
Location:
United States of America
Summary
A travel website subsidiary experienced a breach compromising approximately 1.4 million users, with payment card details (including encrypted card numbers, expiration dates, names, and billing addresses) and account information (email addresses, encrypted passwords, and nicknames) accessed. The incident was detected after fraudulent charges appeared on customer cards, prompting an investigation involving forensic experts and law enforcement. While card security codes and debit PINs remained unaffected, the company implemented enhanced security measures such as improved intrusion detection systems, firewalls, and plans to eliminate stored payment card data. Approximately 880,000 users had payment data exposed, while 560,000 others had account information compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 2 September 2014, Viator, a TripAdvisor subsidiary operating a travel booking website, suffered a security breach compromising approximately 1.4 million customer records. The company first detected the incident after its payment card processor identified unauthorized charges on customer credit cards, prompting Viator to initiate an investigation. Forensic analysis revealed attackers accessed payment card details—including encrypted card numbers, expiration dates, cardholder names, billing addresses, and associated email addresses—for approximately 880,000 customers. An additional 560,000 customers had account credentials exposed, comprising email addresses, encrypted passwords, and Viator-assigned nicknames. The company confirmed fraudulent activity occurred on some compromised credit cards but clarified that card security codes (CVV/CVC) remained unaffected, as Viator did not store them. Debit card PINs were also unaffected since the company did not collect this data. Viator publicly disclosed the breach on 19 September 2014, notifying all potentially impacted customers via direct communication while emphasizing its investigation remained ongoing with assistance from digital forensics specialists and law enforcement agencies.
Viator implemented multiple containment measures following the breach discovery, including enhanced intrusion detection and prevention systems, firewall upgrades, and comprehensive system hardening reviews. The company announced plans to eliminate storage of payment card information within its systems as a preventative measure against future compromises. Internal response efforts focused on securing infrastructure while external actions included coordinating with payment processors to monitor fraudulent transactions and providing breach notifications detailing the specific data elements exposed per customer. No evidence suggested exfiltration of card security codes or non-Viator systems being affected. The incident exclusively impacted Viator's customer database and e-commerce platforms, with forensic reviews continuing to determine the exact attack vector and duration of unauthorized access prior to detection. Operational disruptions were not reported, though the breach represented one of the largest travel industry cybersecurity incidents of 2014 based on affected customer volume.