Sightseeing Firm Overlooks Security, 110k Credit Card Numbers Stolen

CitySights owner Twin America says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data.

Credit cardCitySights owner Twin America says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn’t following Payment Card Industry guidelines for storing card data. The parent company of the CitySights sightseeing tours company, Twin America LLC, said in a letter to states’ attorneys general that a SQL injection attack on a company Web server in September resulted in the theft of personal and financial data on 100,000 of the company’s customers.

The breach came to light after a letter sent to New Hampshire Attorney General Michael Delaney, dated December 9, 2010, was posted online. Details of the attack suggest that the New York based firm may not have been complying with payment card industry standards for storing financial data at the time of the attack.Twin America did not immediately respond to requests for comment.

SQL injection attacks are one of the most common forms of Web based attacks, due to their simplicity and a wealth of poorly defended targets on the Internet.

In its letter to the New Hampshire Attorney General, Twin America, speaking through attorney Theodore Augustinos of the firm Edwards Angell Palmer & Dodge LLP, said around 300 New Hampshire residents were among those affected by the attack.

The company further said it first became aware of the breach on October 19, when a Web programmer working for Twin America discovered an unauthorized script that had been uploaded to the Company’s Web server. The attack was believed to have taken place on September 26th with “unauthorized access” to the database occurring between the September 26th and the discovery date.

The database contained a variety of customer financial data, including the customer’s name, address, e-mail address, credit card number, as well as the expiration date and card verification value (CVV2) data. If true, that would mean that Twin America was in violation of Payment Card Industry (PCI) regulations on data retention, which prohibit retailers from permanently storing the CVV2 data along with other card data, because it makes it far easier to generate fraudulent transactions when combined with the card data. 

Twin America said it has filed a complaint with the FBI’s Internet Crime Complaint Center and hired Kroll, Inc. to investigate the incident. It has also notified individuals affected by the breach and patch discovered vulnerabilities on its Web server, deployed an application layer firewall, limited access to its Web based administrative panel and changed and hardened administrative passwords throughout its organization.

Suggested articles

Discussion

  • Anonymous on

    Too bad these are all things that an administrator should know to have in place before-hand.

  • Rory Alsop on

    Sad that this is one of the simplest things to fix. Have a quick look at the discussion over at Security Stack Exchange - simple guidance on how to sort the problem. Input validation!!!

  • Comkd on

    Also, use of Input Sanitation... 

  • Anonymous on

    Beyond anything else there is no reason to store that information in your database.  It is not required even for recurring billing.  You merchant services provide a hash when you have to pre-authorize a card, or create a recurring billing transaction.. The only data they should be store are 4 digits of the card and the expiration date.  Nothing else...

    There was also obviously very little if any effort to isolate/firewall the sql server from the web server - they were probably on the same network zone - just sad...

    Come on people if you are going to store personal information of ANY KIND be smart about it - web servers should be on a different zone than your sql servers, you need good firewall and monitoring in place between your web-server and sql...  the list goes on and on...

    This is why other "responsible" merchants are getting charged up the A$$ with fees, and PCI charges because of these people...

    Well at $20k / per incident I sure hope they have insurance - this could be a multi million dollar fine if they are not PCI compliant - as all companies that process cards had to be on July 2010.

    -Dan

  • Anonymous on

    I once worked for a company who did not follow any type of security practice locking down credit card numbers.  When I pointed it out to higher up, I was the trouble maker.

     

    People are stupid, that is why information security is a losing battle and at worst, an illusion.

  • Anonymous on

    I once worked for a company who did not follow any type of security practice locking down credit card numbers.  When I pointed it out to higher up, I was the trouble maker.

     

    People are stupid, that is why information security is a losing battle and at worst, an illusion.

  • Anonymous on

    As a victim of this, it is really sad to know people are not following the laws and rules that are set in place to keep consumers information safe from prying eyes. It is unfornate and I really hope they are charged a nice fine! I have jumped through many hurdeles to get my credit card straigthen out and I only hope there is nothing else out there pending. 

  • Walter on

    Besides being unable to setup the correct security, the information send to their customers is just as bad. In only received a mail from them on February 2011 informing about the theft, and the only means of contacting TwinAmerica is a telephone number they mention in the mail. As I live in Europe calling them is not a good option. TwinAmerica or CitySights? Never again.

  • Dan on

    I suspect a scam all the way around. Interesting that they are now trying to sell credit card security insurance. I don't believe it.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.