110,000 Credit Card Numbers Stolen in Tour Company Web Server Hack



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

The Price of Ignoring SQL Injection Vulnerabilities

Research has shown that businesses just don’t take web application security seriously enough. For ... read more ...

WikiLeaks, the Mega-D botnet and online privacy led the way in cyber-security news this past week.

... read more ...

Why Web Application Security?

Presence on the Internet involves dealing with an ever-shifting landscape. New technologies emerge while ... read more ...

(WEB HOST INDUSTRY REVIEW) -- New York City bus tour company CitySights NY (www.citysightsny.com) announced earlier this month that a SQL injection attack on its web server compromised about 110,000 credit card numbers. 

Although the breach happened on September 26, it was discovered a month later on October 25 when a web programmer noticed the unauthorized script. 

The breach became public on December 9 when a letter sent to New Hampshire Attorney General Michael Delaney from CitySight's parent company, Twin America, was posted online. Around 300 New Hampshire residents were among those affected by the attack.

In the letter, Twin America suggests the Payment Card Industry (PCI) guidelines for storing card data were not being met.

The database held customer financial data, including the customer's name, address, email address and credit card information. Included in the credit card information was the expiration date and card verification value (CVV2) data. 

With this additional credit card information, Twin America was in violation of PCI regulations on data retention, which bans retailers from permanently storing the CVV2 data because it makes it much easier to create fraudulent transactions when combined with the other card information.

Twin America says in the letter that it has taken measures to improve its data security. These steps include: changing all administrative level passwords, limiting the access to the administration panel and the server to a handful of pre-approved IP addresses, patching scripting vulnerabilities and setting up an applications firewall, and reconfiguring its systems so future transactions are processed without storing credit card data.

Twin America has sent breach notification letters to the affected customers, offering them one-year free membership with a credit monitoring service and a coupon with a 50 percent discount for one of their tours. 

Several reports suggest Twin America still has security improvements to make however, noting that the coupon code published in the breach notification letter was 012345.  


Related Articles:

CWE/SANS Top 25
Ponemon State of Web Application Security Report
Google Codelab

Please Wait...