Sigh...
Another day, another security clusterfuck. Do these companies actually believe "it won't happen to us"???
TripAdvisor has suffered a data breach at its Viator tour-booking and review website. An estimated 1.4 million Viator customers are potentially affected by the compromise, which the firm admits may have exposed payment card data. The compromise also potentially aired the email address, password and Viator "nickname" …
"I think it's more of a case that companies figure the cost of doing it properly outweighs the cost of mitigation. "
Which it does in a penalty free world. Lawmakers and regulators likewise stick their fingers in their ears or find excuses as to why they can't act, and so it continues.
In the UK the data protection arrangements aren't too bad, but the ICO is limited to penalties of £0.5m. That's enough to spoil an SME's day, but for the big retailers, on-lines, and data processors that's chicken feed that they don't give a stuff about. If the ICO were allowed to levy fines up to 1% of turnover, that would concentrate minds, but there's no chance that the likes of Google would allow Jellyfish Dave to implement that sort of regime.
I've been hitting TripAdvisor (and others) heavily in last few days for some up coming trips, and noticed two things: The two major popups that kept fucking popping up are booking.com and tripadvisor.com, so I'll be doing business with neither.
Not only that, I'm starting to suspect of the 1.4million customers, half of them were aliases of companies trying to talk themselves up, and the other 50% were the competition trying to talk the first half down.
So I make my bookings by that thing they call a telephone. It's a novel idea, and it gives the NSA something to listen to inbetween the drug dealers and terrorists they keep telling us they're protecting us from.
I use tripadvisor to find a hotel/venue then quidco to find a site to book through (usually end up being expedia). Saves a bit of money in the long run - neither store my credit card details.
Quidco does have my bank account details for BACS payments but my bank also has securecall so I need to supply a pin number for any account transfers out - so no problem there.
Using the phone is worse in some respects as there in NOTHING stopping someone overhearing and writing down the details you say into the phone. Phone calls are always treat as HTTP traffic in my mind.