CitySights owner Twin America says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data. The parent company of the CitySights sightseeing tours company, Twin America LLC, said in a letter to states’ attorneys general that a SQL injection attack on a company Web server in September resulted in the theft of personal and financial data on 100,000 of the company’s customers.
The breach came to light after a letter sent to New Hampshire Attorney General Michael Delaney, dated December 9, 2010, was posted online. Details of the attack suggest that the New York based firm may not have been complying with payment card industry standards for storing financial data at the time of the attack.Twin America did not immediately respond to requests for comment.
In its letter to the New Hampshire Attorney General, Twin America, speaking through attorney Theodore Augustinos of the firm Edwards Angell Palmer & Dodge LLP, said around 300 New Hampshire residents were among those affected by the attack.
The company further said it first became aware of the breach on October 19, when a Web programmer working for Twin America discovered an unauthorized script that had been uploaded to the Company’s Web server. The attack was believed to have taken place on September 26th with “unauthorized access” to the database occurring between the September 26th and the discovery date.
The database contained a variety of customer financial data, including the customer’s name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data.
Twin America said it has filed a complaint with the FBI’s Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.