Ctrip Concedes Credit Card Breach at a Very Inopportune Moment

Ctrip, China’s largest online travel agency, conceded that some customers’ credit card information has been compromised.

Such a breach is never good, but this one occurs just as Ctrip seeks to woo more outbound Hong Kong travelers with the launch of a dedicated Hong Kong website.

And, company officials obviously will be hoping that news of the data breach won’t slow its push for greater online and mobile adoption, which reached more than 65% of its transactions in the fourth quarter, up from around 50% a year earlier.

Ctrip says a third-party website focused on Internet security — reportedly WooYun.org — informed the company March 22 that customers’ credit card information was susceptible to hacking as it was stored on local servers that Ctrip maintained.

After conducting an investigation, Ctrip says the third-party website “might have” downloaded credit card information from 93 customers to confirm the potential risks. Ctrip says it isn’t aware of any customers suffering financial losses or damages.

Ctrip claims this customer data had been stored on the local servers because of a “temporary” test, and Ctrip “removed the cause of the potential security concern within two hours” of being alerted to the problem.

Ctrip says it made public statements in China to inform customers of the breach, has set up phone lines for customers to call about the breach, and has invited the “security white hat” to work with Ctrip to improve its security.

Ctrip has also established a RMB5 million ($800,000) fund “to reward people and institutions who can effectively help Ctrip improve the security practice.”