Sophos Cloud Optix
Popular travel website TripAdvisor is the latest well-known brand to ‘fess up to a security breach.
Earlier this week, online entertainment retailer Play.com lost a bunch of customer data to cybercrooks via an external marketing company. Late last week, no less a scalp than RSA – the security company’s security company! – admitted publicly that criminals had penetrated its servers and stolen possibly-significant trade secrets.
TripAdvisor alerted its users with an email describing what had happened. Fortunately, it looks as though the bad guys only managed to make off with email addresses.
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list.
How will this affect you? In many cases, it won't. Only a portion of member email addresses were taken, and all member passwords remain secure.
The stolen email list will be pretty handy to spammers and scammers, and TripAdvisor shouldn’t have let the crooks get hold of it. But many people publish their email addresses openly anyway, or have addresses that are easy to guess. So your email address is probably the least worrying part of your online persona to lose.
That makes this an embarassing breach rather than a dangerous one. However, that’s cold comfort for TripAdvisor.
If you use email for direct marketing purposes, don’t let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant – it’s your brand which suffers. Even if you only lose email addresses, it’s a poor advertisement for your business.
"If you use email for direct marketing purposes, don't let yourself get caught out like Play.com or TripAdvisor. Whether you lose email lists from your own servers or through a third-party marketing company is irrelevant – it's your brand which suffers. Even if you only lose email addresses, it's a poor advertisement for your business."
That said, if you use email for direct marketing purposes and suffer a security breach, PLEASE come clean like Play.com and TripAdvisor did. Leaving your subscribers in the dark makes them much more prone to falling for a phishing scam or other attack than if they've been informed of the breach.
While publicly admitting to a breach might be poor advertising, covering it up will likely turn out to be even worse advertising in the long run as people external to the company put two and two together.