110,000 Credit Card Numbers Stolen in Tour Company Web Server Hack



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

Top Jordan website back up after hacking

AMMAN — Jordan's most popular news website, Ammonnews, said it was shut down ... read more ...

The Price of Ignoring SQL Injection Vulnerabilities

Research has shown that businesses just don’t take web application security seriously enough. For ... read more ...

Cisco Announces New Context-Aware Security Enforcement

Cisco continues to invest in addressing the rapidly changing security needs of businesses today with ... read more ...

(WEB HOST INDUSTRY REVIEW) -- New York City bus tour company CitySights NY (www.citysightsny.com) announced earlier this month that a SQL injection attack on its web server compromised about 110,000 credit card numbers. 

Although the breach happened on September 26, it was discovered a month later on October 25 when a web programmer noticed the unauthorized script. 

The breach became public on December 9 when a letter sent to New Hampshire Attorney General Michael Delaney from CitySight's parent company, Twin America, was posted online. Around 300 New Hampshire residents were among those affected by the attack.

In the letter, Twin America suggests the Payment Card Industry (PCI) guidelines for storing card data were not being met.

The database held customer financial data, including the customer's name, address, email address and credit card information. Included in the credit card information was the expiration date and card verification value (CVV2) data. 

With this additional credit card information, Twin America was in violation of PCI regulations on data retention, which bans retailers from permanently storing the CVV2 data because it makes it much easier to create fraudulent transactions when combined with the other card information.

Twin America says in the letter that it has taken measures to improve its data security. These steps include: changing all administrative level passwords, limiting the access to the administration panel and the server to a handful of pre-approved IP addresses, patching scripting vulnerabilities and setting up an applications firewall, and reconfiguring its systems so future transactions are processed without storing credit card data.

Twin America has sent breach notification letters to the affected customers, offering them one-year free membership with a credit monitoring service and a coupon with a 50 percent discount for one of their tours. 

Several reports suggest Twin America still has security improvements to make however, noting that the coupon code published in the breach notification letter was 012345.  


Related Articles:

The Most Vulnerable Programming Languages
Vendor Lock In or Ignorant Design?
Khodorkovsky's website attacked amid announcement of sentencing

Applicure Technologies Ltd.

Products

Solutions

Connect with Applicure

Please Wait...