Payment services provider YapStone (VacationRentPayment) sent out a letter last month notifying property managers and owners who had applied for merchant accounts through HomeAway that personal information in their applications may have been compromised between July 15, 2014 and August 5, 2015. Reportedly, the VacationRentPayment application was stored by YapStone using an inadequately secured URL and may have been accessed by unauthorized users during this timeframe.
In the letter dated September 11, 2015, YapStone CEO Thomas J. Villante wrote, “Unfortunately, due to this application being available, your email, Social Security number, driver’s license, date of birth, and bank account were potentially exposed.”
When YapStone discovered the problem on August 5, they immediately blocked unauthorized access to the URL and began an investigation.
In a statement provided to VRM Intel by Steve Davis, HomeAway Chief Information Officer said:
“YapStone, one of HomeAway’s payment providers, notified us that a private URL containing vacation rental owner’s and manager’s personal information was made publicly accessible, resulting in an information disclosure that occurred on YapStone’s systems. The issue was immediately corrected and potentially impacted customers were notified. No exposure of credit card information or passwords occurred, nor were HomeAway systems compromised in any way. We continue to support YapStone through this process and work closely with their team to ensure they continue to meet HomeAway’s high standards for security and data protection. HomeAway and YapStone sincerely regret any inconvenience this has caused our customers.”
As a result of YapStone’s failure to protect their customer’s application data, the company is facing a data breach class action lawsuit filed by a customer who claims the company is negligent and in breach of contract because it failed to protect customer data from a possible breach. In the complaint, Plaintiff, Jonathan Koles alleges YapStone failed to take reasonable measures to protect its customers’ personal information, promptly notify them o f the possible breach and specify exactly what information may have been compromised.
According to the lawsuit, “As a result of Defendant’s ongoing failure to notify consumers regarding what type of [personally identifiable information] has been compromised, consumers are unable to take the necessary precautions to mitigate their damages by preventing future fraud.”
As outlined on BigClassAction.com, “Because VRBO customers were required to accept payments online and provide their bank account information, YapStone breached an implied contract with customers in failing to safeguard their financial information, the complaint adds.”
In an email posted to HomeAway’s Community forum, HomeAway also said, “YapStone has sent letters to customers who were affected. Each letter includes personalized information and a detailed FAQ that addresses many of the questions you may have. If you did not receive a letter, your information was not exposed.”
By Amy Hinote