Aussie Travel Agency Data Leak Puts Thousands of Tourists at Risk


Melbourne-based travel agency, Inspiring Vacations, left a massive 26.8 GB database publicly exposed, devoid of any security measures like authentication or passwords.

A data leak at a Melbourne-based travel agency has exposed the personal information of thousands of tourists, raising concerns about online security and privacy in the travel industry. 

The leak was discovered by cybersecurity researcher Jeremiah Fowler and reported to WebsitePlanet. Fowler came across a publicly exposed database containing 112,605 records spanning 26.8 GB and owned by the Australian travel agency Inspiring Vacations. 

The exposed data include high-resolution passport images, travel visa certificates, and itinerary or ticket files. Most of the individuals in the records were Australian citizens, but identification documents from New Zealand, the United Kingdom, and Ireland were also found. 

The number of affected passports is unclear but around 1,000 identification documents were found in a limited sample—other files detailed customers’ passport numbers and other personally identifiable information (PII). The file names were structured to include the individual’s name in plain text.

The database stored data on 13,684 customers, including names, email addresses, trip costs, and destinations, contained in 48 Excel spreadsheets. It also contained 24,000 itinerary and e-ticket documents, some showing partial credit card numbers, and internal company documents, including 17,000 tax invoices to partners and affiliates.

Type of records exposed in the data leak (Screenshots: WebsitePlanet)

The database remained undetected for an unknown period, potentially putting the impacted tourists/individuals at risk of identity theft, fraud, and other cybercrime. What’s worse is that it contained a folder of CVs or resumes, which cybercriminals can also exploit for identity theft, fraud, and other cybercrime.

The exposed information could also be used for phishing scams with malicious emails tricking users into giving away their login credentials or revealing additional sensitive data, such as financial information via too-good-to-be-true travel deals.

Further, scammers could use resume information to trick candidates with fake job opportunities and request upfront payments as fees for employment processing or background checks.

It is noteworthy that fake job scams have inflicted substantial financial losses on companies, amounting to hundreds of millions of dollars in damages. A prominent example of this threat is evident in the case of Axie Infinity, a blockchain company that suffered a staggering loss of $625 million. Furthermore, these scams have facilitated threat actors in compromising the devices of unsuspecting users by spreading malware.

The leaked passport data and travel details of tourists could lead to serious problems. Malicious threat actors might use this information to pretend to be someone else, causing identity theft and financial issues for tourists. Scammers could also trick them into fake schemes or use their details for illegal activities.

The leaked data might put tourists at risk during their travels, making them vulnerable to scams or even physical harm. Keeping this information safe is crucial to protect tourists from various risks and ensure their safety during trips.

Nevertheless, Fowler responsibly disclosed the issue to Inspiring Vacations, and the company has since ensured the database. So far, there is no indication of unauthorized access or suspicious activity. An internal forensic audit would identify that. Experts advise travellers to be cautious about sharing personal information with travel agencies. 

Post-exposure standard safety practices include regularly checking credit card statements for unauthorized activity and preferring fraud protection services.

Businesses collecting and storing identity documents should enhance their data security measures, conduct thorough audits, encrypt sensitive information, and implement robust cybersecurity protocols. Companies could also delete sensitive customer records or set a time limit and expiration date. 

  1. Int’l Dog Breeding Org WALA Exposes 25GB of Pet Owners Data
  2. User data exposed in Australia’s 2nd-largest telecom firm breach
  3. Data Leak Exposes 1.5B Real Estate Records, Including Kylie Jenner
  4. Texas School Safety Software Data Leak Endangers Student Safety
  5. Aussie Defence Force Communications Service Hit by Ransomware Attack





Source link