Hackers hit New York tour firm, access 110,00 bank cards
IDG News Service - Hackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers.
They broke in using a SQL Injection attack on the company's Web server, CitySights NY said in a Dec. 9 breach notification letter published by New Hampshire's attorney general. The company learned of the problem in late October, when, "a web programmer discovered [an] unauthorized script that appears to have been uploaded to the company's web server, which is believed to have compromised the security of the database on that server," the letter said.
CitySights NY believes that the SQL injection compromise occurred about a month earlier, on Sept. 26. In a SQL injection attack, hackers find ways to sneak real database commands into the server using the Web. They do this by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.
This was one of the techniques used by Albert Gonzalez, who in March received the longest-ever U.S. federal sentence related to hacking the systems of Heartland Payment Systems, TJX and other companies.
In the CitySights NY incident, hackers were able to get names, addresses, e-mail addresses, credit card numbers and their expiration dates, and Card Verification Value 2 codes, used to validate online credit card purchases.
CitySights NY is best known as the operator of a fleet of blue double-decker buses, used to drive tourists around Manhattan. The company could not be reached for comment Monday.
The company began notifying customers about the incident two weeks ago. Victims are being offered one year free credit monitoring and a 50% off coupon, good for another CitySights NY tour.
CitySights NY's parent company, Twin America, says that it has "taken several important steps to improve the level of its data security." It has locked down access to its servers and installed an application firewall in hopes of thwarting future attacks.
But clearly, there's room for improvement. The company included the 50% off coupon code in the breach notification letter that was posted to the New Hampshire Attorney General's website. The code is 012345.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts