This morning there was a message in my inbox from TripAdvisor with the subject of "An important message from our CEO". I was expecting that perhaps they were announcing that they had been acquired, but instead the message explain in plain words that some portion of TripAdvisor's email list had been stolen. This message, delivered with honesty and contrition, is an example to all companies about how to share news that your members' data has been stolen: do it, because it's your obligation and because it's what you'd want someone else to do for you. This great missive follows.
To our travel community:
This past weekend we discovered that an unauthorized third party had stolen part of TripAdvisor's member email list. We've confirmed the source of the vulnerability and shut it down. We're taking this incident very seriously and are actively pursuing the matter with law enforcement.
How will this affect you? In many cases, it won't. Only a portion of all member email addresses were taken, and all member passwords remain secure. You may receive some unsolicited emails (spam) as a result of this incident.
The reason we are going directly to you with this news is that we think it's the right thing to do. As a TripAdvisor member, I would want to know. Unfortunately, this sort of data theft is becoming more common across many industries, and we take it extremely seriously. I'd also like to reassure you that TripAdvisor does not collect members' credit card or financial information, and we never sell or rent our member list.
We will continue to take all appropriate measures to keep your personal information secure at TripAdvisor. I sincerely apologize for this incident and appreciate your membership in our travel community.
Co-founder and CEO