Share this article on:
An Australian travel agency has leaked the data of thousands of its customers after it left a database openly accessible online.
Cyber security researcher Jeremiah Fowler said he discovered a non-password-protected database owned by Melbourne-based travel agency Inspiring Vacations, which contained 112,605 records belonging largely to Australian customers. However, data belonging to customers from Ireland, New Zealand, and the UK were observed as well.
It is worth noting that this number does not necessarily represent the number of customers affected but rather the number of records observed.
The database in question was reportedly an Amazon AWS cloud storage bucket that was incorrectly configured, allowing public access.
The incident was discovered in December last year, with Inspiring Vacations quickly informing its customers of the issue, according to a company statement.
“We treat cyber security and the protection of our data seriously, and we contacted staff and customers in early December to announce an investigation into these claims, supported by external experts,” said a spokesperson from Inspiring Vacations.
“We will update our stakeholders as this investigation progresses.”
The data contained in the database came to a total of 26.8 gigabytes and included “potentially sensitive information such as high-resolution passport images, travel visa certificates, and itinerary or ticket files”, said Fowler.
Additionally, Fowler observed “an estimated” 1,000 identification documents, but the number of customers identified is much greater, with other files in the database detailing other personally identifiable information such as passport numbers.
On top of this, the database contained 48 .xls spreadsheets detailing the information of 13.684 customers. This data included names, email addresses, destinations, trip costs and more.
“There were an estimated 24,000 itinerary and e-ticket .pdf documents, some of which show partial credit card numbers,” added Fowler.
“In addition to customer files, the database included various internal documents, such as 17,000 tax invoices to partners and affiliates that specify gross costs and commissions paid.”
Upon the discovery of the exposed database, Fowler informed Inspiring Vacations through a responsible disclosure notice and confirmed that the database was then secured to prevent further public access.
“I received a reply thanking me for my notification and confirming that I didn’t download files from the database without redactions,” added Fowler.
As reported by The Sydney Morning Herald, Inspiring Vacations has contacted the Office of the Australian Information Commissioner (OAIC).
A spokesperson from the OAIC, speaking with The Sydney Morning Herald, also confirmed that it had been notified by Inspiring Vacations.
“Inspiring Vacations has notified the Office of the Australian Information Commissioner of the incident,” said the spokesperson.
“We are making preliminary inquiries with Inspiring Vacations regarding its compliance with the notifiable data breaches scheme.”
Additionally, a spokesperson from Inspiring Vacations, speaking with Cyber Daily, has confirmed that an investigation has been launched and that a “dedicated team” is working to address the issue.
Cyber Daily has reached out to the privacy team at Inspiring Vacations for more information regarding the breach.
While at this stage in the investigation, there is no evidence to suggest that the exposed data has been used by unauthorised users for malicious purposes, the data contained within the database present a major danger to affected individuals.
For example, the data could be used by threat actors to construct phishing emails and extort money from victims. They could also use the credit card information known to engage social engineering techniques and trick customers into providing them with the rest.
“The exposed database also contained a folder of CVs or résumés. These documents include much more personal information that can potentially be exploited for various malicious purposes, as they contain full names, addresses, phone numbers, and email addresses,” said Fowler.
These details would allow threat actors to write convincing phishing emails that would encourage victims to reveal even more sensitive information, such as tax information and other personal details.
The personal information and passport data could also allow threat actors to engage in identity theft, allowing them to apply for credit cards or open accounts.
This is a developing story. This article will be updated as new information comes to light, including that contained within a response by Inspiring Vacations.