110,000 Credit Card Numbers Stolen in Tour Company Web Server Hack



FAQs

Got questions about dotDefender? Please visit our knowledgebase for answers or contact Support at support@applicure.com.


Featured Blog Posts

The Anatomy of a SQL Injection Attack

SQL injections are one of the most dangerous attacks used against web applications. In 2010, ... read more ...

Google Codelab

It may seem counterproductive for Google to teach people to think like a cyber criminal ... read more ...

Senior bureaucrats lax on BlackBerry security

Security experts suggest senior federal bureaucrats are playing with fire by sending sensitive government information ... read more ...

(WEB HOST INDUSTRY REVIEW) -- New York City bus tour company CitySights NY (www.citysightsny.com) announced earlier this month that a SQL injection attack on its web server compromised about 110,000 credit card numbers. 

Although the breach happened on September 26, it was discovered a month later on October 25 when a web programmer noticed the unauthorized script. 

The breach became public on December 9 when a letter sent to New Hampshire Attorney General Michael Delaney from CitySight's parent company, Twin America, was posted online. Around 300 New Hampshire residents were among those affected by the attack.

In the letter, Twin America suggests the Payment Card Industry (PCI) guidelines for storing card data were not being met.

The database held customer financial data, including the customer's name, address, email address and credit card information. Included in the credit card information was the expiration date and card verification value (CVV2) data. 

With this additional credit card information, Twin America was in violation of PCI regulations on data retention, which bans retailers from permanently storing the CVV2 data because it makes it much easier to create fraudulent transactions when combined with the other card information.

Twin America says in the letter that it has taken measures to improve its data security. These steps include: changing all administrative level passwords, limiting the access to the administration panel and the server to a handful of pre-approved IP addresses, patching scripting vulnerabilities and setting up an applications firewall, and reconfiguring its systems so future transactions are processed without storing credit card data.

Twin America has sent breach notification letters to the affected customers, offering them one-year free membership with a credit monitoring service and a coupon with a 50 percent discount for one of their tours. 

Several reports suggest Twin America still has security improvements to make however, noting that the coupon code published in the breach notification letter was 012345.  


Related Articles:

OWASP Top 10 2010
The Most Vulnerable Programming Languages
Microsoft confirms critical IE bug, works on fix

Please Wait...