TripAdvisor admits to database security breach

by Paul Ducklin on March 25, 2011 | 1 Comment

Filed Under: Data loss, Law & order, Privacy, Social networks, Spam

Popular travel website TripAdvisor is the latest well-known brand to 'fess up to a security breach.

Earlier this week, online entertainment retailer Play.com lost a bunch of customer data to cybercrooks via an external marketing company. Late last week, no less a scalp than RSA - the security company's security company! - admitted publicly that criminals had penetrated its servers and stolen possibly-significant trade secrets.

TripAdvisor alerted its users with an email describing what had happened. Fortunately, it looks as though the bad guys only managed to make off with email addresses.

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list.

How will this affect you? In many cases, it won't. Only a portion of member email addresses were taken, and all member passwords remain secure.

The stolen email list will be pretty handy to spammers and scammers, and TripAdvisor shouldn't have let the crooks get hold of it. But many people publish their email addresses openly anyway, or have addresses that are easy to guess. So your email address is probably the least worrying part of your online persona to lose.

That makes this an embarassing breach rather than a dangerous one. However, that's cold comfort for TripAdvisor.

If you use email for direct marketing purposes, don't let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant - it's your brand which suffers. Even if you only lose email addresses, it's a poor advertisement for your business.

Tags: , , , ,

One Response to TripAdvisor admits to database security breach

  1. Andrew Ludgate says:
    March 25, 2011 at 5:44 pm

    "If you use email for direct marketing purposes, don't let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant - it's your brand which suffers. Even if you only lose email addresses, it's a poor advertisement for your business."

    That said, if you use email for direct marketing purposes and suffer a security breach, PLEASE come clean like Play.com and TripAdvisor did. Leaving your subscribers in the dark makes them much more prone to falling for a phishing scam or other attack than if they've been informed of the breach.

    While publicly admitting to a breach might be poor advertising, covering it up will likely turn out to be even worse advertising in the long run as people external to the company put two and two together.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

About the author

Paul Ducklin is Sophos's Head of Technology, Asia Pacific. He won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. (Try saying that quickly.) Email him in the Sydney office or follow him on Twitter at @duckblog.