TripAdvisor admits to database security breach

Filed Under: Data loss, Law & order, Privacy, Social networks, Spam

Popular travel website TripAdvisor is the latest well-known brand to 'fess up to a security breach.

Earlier this week, online entertainment retailer Play.com lost a bunch of customer data to cybercrooks via an external marketing company. Late last week, no less a scalp than RSA - the security company's security company! - admitted publicly that criminals had penetrated its servers and stolen possibly-significant trade secrets.

TripAdvisor alerted its users with an email describing what had happened. Fortunately, it looks as though the bad guys only managed to make off with email addresses.

This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list.

How will this affect you? In many cases, it won't. Only a portion of member email addresses were taken, and all member passwords remain secure.

The stolen email list will be pretty handy to spammers and scammers, and TripAdvisor shouldn't have let the crooks get hold of it. But many people publish their email addresses openly anyway, or have addresses that are easy to guess. So your email address is probably the least worrying part of your online persona to lose.

That makes this an embarassing breach rather than a dangerous one. However, that's cold comfort for TripAdvisor.

If you use email for direct marketing purposes, don't let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant - it's your brand which suffers. Even if you only lose email addresses, it's a poor advertisement for your business.

, , , ,

You might like

One Response to TripAdvisor admits to database security breach

  1. Andrew Ludgate · 1120 days ago

    "If you use email for direct marketing purposes, don't let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant - it's your brand which suffers. Even if you only lose email addresses, it's a poor advertisement for your business."

    That said, if you use email for direct marketing purposes and suffer a security breach, PLEASE come clean like Play.com and TripAdvisor did. Leaving your subscribers in the dark makes them much more prone to falling for a phishing scam or other attack than if they've been informed of the breach.

    While publicly admitting to a breach might be poor advertising, covering it up will likely turn out to be even worse advertising in the long run as people external to the company put two and two together.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog