TripAdvisor Breach Notification TMI

Yesterday, TripAdvisor emailed its members announcing a security compromise. The letter said that an “unauthorized third party” managed to gain access to its member email list through a vulnerability. The company did not say what or how their systems were breached, just that email addressed were exposed. The letter went on to say that, other than email addresses, no other information in their systems was compromised. TripAdvisor assured members that “no passwords were taken, and any and all password information is secure.” Because TripAdvisor does not collect financial or credit card data from its members, this data could not be leaked (advertisers are another story, but perhaps that is another post).

The result, claims the email, is that members may receive some spam, and members are advised to be on the lookout for suspicious emails and reminded not to click on links or provide any PII to unknown senders.

This is a very nice PSA on the part of TripAdvisor but it begs the question: If the only result of this breach was that a few members’ emails were stolen, did TripAdvisor need to send a formal email to their entire member base talking about collaboration with law enforcement and the new “additional security precautions” being implemented?

IANS is not advocating hiding security breaches from customers. In fact, we would advise companies to err on the side of caution when it comes to a breach. However, it appears, if one were to take TripAdvisor’s email at face value, that there is no resultant harm because of the breach (it’s 2011; don’t most email providers have spam filters to block suspicious messages?) and the breach does not require notification. If this is the case, why alarm members, most of whom probably do not know or care about breach notification laws or understand where the line is drawn as far as notifications?

I liken TripAdvisor’s email to the heightened paparazzi craze over the last few years. The sole reason for paparazzi’s existence is to create media buzz, suck consumers into stories (that may or may not be true and have very little supporting evidence behind them). While I don’t think TripAdvisor was attempting to generate media buzz (I am sure they’re trying to avoid their CNN moment), the result with the consumer is the same. Members of the site are going to worry about what it means for them. Many will likely speculate that they don’t have the full story. Some might change their passwords, even though they were informed this wasn’t necessary. A few might even delete their TripAdvisor profile. Those who are social networking site aficionados could wonder what this means for the security of their information on other sites they frequent.

And all this because a few email addresses were stolen.

Again, IANS believes companies should always try to do right by their customers or members. That said, don’t we have a responsibility to practice safe security (pardon the redundancy)? Isn’t it our job as security professionals to temper what is not terribly important and not “cry wolf”? Doesn’t this go against the movement away from FUD and lessen credibility when or if something does go terribly wrong?