Tour operator admits credit card data on 110,000 customers breached

The tour operator, Twin America (operating as CitySights NY), said that hackers used an SQL injection attack to access the company’s web server database, which contained the names, addresses, emails, credit card numbers, expiration dates, and card verification numbers of its customers. The database did not contain customers’ social security numbers or drivers licenses.

Details of the data breach were revealed in a Dec. 9 letter that the company’s attorney sent to the New Hampshire State Attorney General. The letter said that around 300 customers were New Hampshire residents.

The letter said that the breach was discovered Oct. 25 “when a web programmer discovered unauthorized script that appears to have been uploaded to the company’s web server, which is believed to have compromised the security of the database maintained on that server.”

Kroll was hired to investigate the data breach incident. Using the company’s backup log files, “Kroll ran searches to determine the extent of unauthorized access and identified the individuals whose personal information could have been accessed.”

The tour operator then notified the affected individuals and offered them call center support and free credit monitoring services through Experian.

The company is taking a number of steps to prevent future data breaches, including instituting stronger administrative level passwords, restricting access to the administration panel and server, fixing database scripting vulnerabilities, installing an applications firewall.

“The company continues to monitor its systems and has reconfigured its sytems so tht transactions will be processed without storing credit card data on the company’s server”, the letter concluded.

What’s Hot on Infosecurity Magazine?