Viator, a tour-booking website used by TripAdvisor and others, has just notified 1.4 million customers that their data may have been compromised in a recent data breach. In all, 880,000 customers may have had their payment information compromised, while another 560,000 likely had their email address and encrypted Viator password leaked.
It’s the latest in a string of high-profile retail breaches, and amid the conversations about better security for the nooks and crannies of a sprawling organization’s network, point-of-sale and e-commerce security and inside-out methods for intrusion detection, another angle to all of these compromises is, of course, the danger of federated identities.
In Viator’s case, the company is “taking immediate steps to investigate and determine the full scope of the compromise,” it said in a notice on its website, adding that it has “hired forensic experts, notified law enforcement and we have been working diligently and comprehensively to investigate the incident, identify how our systems may have been impacted, and secure our systems.”
Details beyond that are scant, but it did say that right now it looks like the three or four digit security codes printed at the back or front of customers' cards were not compromised. Also, debit PIN numbers aren’t collected by Viator and therefore couldn’t have been stolen.
“There doesn’t appear to have been a massive file posted online yet containing data such as PII [personally identifiable information] related to the compromise — while that doesn’t mean there isn’t one, it’s a slim branch of hope to hold onto as we await more information on this latest high-profile attack,” said Chris Boyd, malware intelligence analyst at Malwarebytes Labs, in a blog.
He added, “The good news is that if you haven’t experienced a fraudulent transaction yet, you may be in the clear. Stolen payment data doesn’t tend to get stockpiled for too long because the people sitting on it know it’s only a matter of time before someone, somewhere notices and has the card cancelled.”
As with other data breaches, including Home Depot, Target, Neiman Marcus and many others, Viator only discovered the breach after someone else detected fraudulent activity. In this incident, Viator said that it was notified of unauthorized charges on Sept. 2 by one of its payment processors.
“The breach at Viator fits the disturbing recent pattern. It’s not just true that big-name brands, one by one, are steadily getting breached. It’s also emerging as a pattern that most of the targeted companies don’t even know about the breach until someone outside – normally someone looking for patterns of fraudulent use of cards – notifies them that they are the apparent source of the leak,” said Mike Lloyd, CTO of RedSeal Networks, in an email. “Losing a fight is bad; not even knowing that you’re in one is worse.”
Meanwhile, Jonathan Sander, strategy and research officer at STEALTHbits Technologies, brought up the fact that all of this information, taken together, offers an entirely new angle to criminal activity in the form of 360-degree victim profiles and a potential predictive analysis capability.
For instance, “This is a smart hack,” he said. “People who are booking tours and trips in this economy are clearly good targets for those with financial motives.” Taking that information—i.e., this is clearly a victim set with disposable income—and correlating it with other details from other card activity from other breaches allows criminals with big data slicing and dicing capability to come up with a holistic view of the victim—along with a predictive model for their habits and behaviors, which can be used in everything from social engineering to malvertising to watering hole attacks.
“What’s…interesting is the analogy between the big business move to big data analytics and how much of that data is now turning up in data breaches,” he said in an email. “The data these firms are keeping on hand for analysis makes them richer targets over time. One can also imagine a shadow big data world growing in the world of organized crime-driven hacking. What do you get when you add up all the data from Target, Home Depot and Viator? If advertisers can sell and market to you better with big data, what can the e-mafia do to you with that same data? The marketer knows what you think and where you go. It’s scary to think of criminals with ill intent having that kind of predictive power over your life.”
While we wait for more details on this latest breach, the message is becoming rather repetitive: retail outfits have to up their security game, because what they’re doing clearly isn’t working.
“It’s like building a castle with a moat around it, but failing to look at the activities being performed by people you let in, either knowingly or not, through the front door,” said Sharon Vardi, CMO, Securonix, in a note. “At the end of the day, the only way to really stop this kind of attack in its tracks is by monitoring all user behavior across all critical systems, and being alerted in real time when anomalous behavior is detected.”