It is unfortunate, but a fact that many organizations are going to suffer hacks. The internet was designed to be a cybercriminal’s dream. That was not the intent of the internet, but the design certainly is such that it serves the purpose well. Fortunately it also serves many great purposes quite well too.

News came out that Tripadvisor.com has suffered a data breach. According to a message from the CEO of Tripadvisor only a portion of the member’s email addresses were stolen and no passwords were compromised. If this is true, it is indeed good news that the passwords were secured. You have to give them credit for getting that part of the security right.

Tripadvisor, like many companies is still having difficulty with reasonable disclosure however. Was it really only email addresses that were stolen? Were there really no first and last names associated with the email addresses? Maybe it only was some email addresses, but I do find that highly unlikely. Tripadvisor states that a portion of the user email addresses were compromised. 99.9999% is a portion. 1% is also a portion. Was it a significant portion? If I am a member, are the odds high that my address was stolen? The actual language in the email from the CEO seems to be intentionally vague, which usually means it was a significant portion. The email says that many users will be unaffected, but that is quite different from saying that most users will not be affected.

Time will tell if only email addresses were compromised or if the breach, as is often the case, was more significant than first acknowledged. Currently Tripadvisor advises that the only affect to users is potentially a bit more spam.

Randy Abrams
Director of Technical Education
Cyber Threat Analysis Center
ESET North America