Viator learned of the incident on Sept. 2 when a payment card service provider notified the tours and activities website of unauthorized charges made to a number of customers’ credit cards.
It is unclear how systems at the company, now owned by TripAdvisor, were compromised.
The breach could have exposed card data, as well as customer email addresses, passwords and usernames for Viator online accounts.
The card data that was possibly stolen had legitimately been used to book trips through Viator’s website or apps.
As of Sept. 19, the company was in the process of alerting clients who had some form of information potentially compromised.
About 880,000 customers might “have had their payment card information (encrypted credit or debit card number, card expiration date, name, billing address and email address), and possibly their Viator account information (email address, encrypted password and Viator ‘nickname’) compromised,” a breach notice states. “In addition, we are notifying approximately 560,000 customers whose Viator account information may have been affected (email address, encrypted password and Viator ‘nickname’).”
There is no evidence right now that security numbers located on the back of cards were accessed.