A major data breach has exposed the personal information of about 112,000 travelers, dealing a serious blow to Inspiring Vacations, a travel agency located in Melbourne. The data leak is concerning because it contains private information like partial credit card numbers, travel itinerary details, high-resolution passport photos, and travel visa certificates.
A non-password-protected database with about 112,000 records was inadvertently made public online in late November, resulting in this breach. A folder containing resumes that disclosed each person’s complete name, address, phone number, and email address was also leaked to the database. Australian nationals make up the bulk of the impacted travelers, though there have also been New Zealand, British, and Irish customers.
Acknowledging the security breach, Inspiring Vacations immediately began looking into the incident. As required by Australia’s mandatory reporting laws, the company has informed relevant regulators, such as the Australian Cyber Security Centre and the Office of the Information Commissioner. Jeremiah Fowler, a cybersecurity researcher, first found the breach and quickly notified the company and authorities.
This incident is one more in the growing list of cybersecurity blunders that Australian businesses are facing. There has been a notable increase in cyberattacks, as evidenced by the over 127,000 hacks against Australian servers that the Australian Signals Directorate recorded in the fiscal years 2022 and 2023. These incidents highlight growing worries about the security of personal information and the possible consequences for those impacted by breaches. It also emphasizes the continued difficulties and significance of strong cybersecurity defenses in protecting private data in the digital era.
Customer data is exposed after a database is made publicly accessible
According to Jeremiah Fowler, a cyber security researcher, Inspiring Vacations, a travel agency located in Melbourne, owned a non-password-protected database that included 112,605 records, the majority of which belonged to Australian clients. Nevertheless, information from clients in the UK, New Zealand, and Ireland was also noted.
It is important to note that this figure represents the number of records observed, not necessarily the number of customers impacted.
According to reports, the database in question was an Amazon AWS cloud storage bucket with an incorrect configuration that made it accessible to the public.
According to a company statement, Inspiring Vacations promptly notified its customers of the incident once it was discovered in December of last year.
An Inspiring Vacations representative stated, “We take cyber security and the protection of our data seriously. We contacted staff and customers in early December to announce an investigation into these claims, supported by external experts.”
“We’ll keep our stakeholders informed as this investigation develops.”
26.8 gigabytes of data total—including “potentially sensitive information such as high-resolution passport images, travel visa certificates, and itinerary or ticket files”—were included in the database, according to Fowler.
Furthermore, Fowler saw “an estimated” 1,000 identity documents; however, since other files in the database included passport numbers and other personally identifiable information, the actual number of customers identified is much higher.
In addition, 48.xls spreadsheets with the personal data of 13.684 clients were included in the database. Names, email addresses, locations, travel expenses, and other information were included in this data.
According to Fowler, there were approximately 24,000 itinerary and e-ticket.pdf documents, some of which had partial credit card numbers.
“The database included a variety of internal documents, such as 17,000 tax invoices to partners and affiliates that specify gross costs and commissions paid, in addition to customer files.”
Following the discovery of the exposed database, Fowler confirmed that the database was secured to prevent further public access and notified Inspiring Vacations via a responsible disclosure notice.
“I got a response acknowledging that I didn’t download files from the database without redactions and thanking me for my notification,” Fowler continued.
The Office of the Australian Information Commissioner (OAIC) has been contacted by Inspiring Vacations, as reported by The Sydney Morning Herald.
Speaking with The Sydney Morning Herald, an OAIC representative confirmed that Inspiring Vacations had notified the organization.
The spokesperson said, “Inspiring Vacations has notified the Office of the Australian Information Commissioner of the incident.”
“We are contacting Inspiring Vacations to inquire about their compliance with the notifiable data breaches scheme at this preliminary stage.”
The information in the database poses a serious risk to those who may be impacted, even though there is currently no evidence in the investigation to indicate that the exposed data has been used maliciously by unauthorized users.
Threat actors might utilize the information to create phishing emails and demand money from victims, for instance. They might also deceive customers into giving them the remaining information by using credit card information that has been known to be used in social engineering schemes.
A folder containing resumes or CVs was also disclosed in the database. These documents contain much more personal information, such as complete names, addresses, phone numbers, and email addresses, which may be used for nefarious purposes, according to Fowler.
Threat actors could use these details to craft believable phishing emails that persuade victims to divulge even more private information, like tax returns and other personal information.
Threat actors may be able to commit identity theft by using the passports and personal information to open accounts and apply for credit cards.