Melbourne-based travel agency, Inspiring Vacations, left a massive 26.8 GB database publicly exposed, devoid of any security measures like authentication or passwords.
A data leak at a Melbourne-based travel agency has exposed the personal information of thousands of tourists, raising concerns about online security and privacy in the travel industry.
Fowler came across a publicly exposed database containing 112,605 records spanning 26.8 GB and owned by the Australian travel agency Inspiring Vacations.
The exposed data include high-resolution passport images, travel visa certificates, and itinerary or ticket files.
The number of affected passports is unclear but around 1,000 identification documents were found in a limited sample-other files detailed customers' passport numbers and other personally identifiable information.
The file names were structured to include the individual's name in plain text.
The database stored data on 13,684 customers, including names, email addresses, trip costs, and destinations, contained in 48 Excel spreadsheets.
The database remained undetected for an unknown period, potentially putting the impacted tourists/individuals at risk of identity theft, fraud, and other cybercrime.
The exposed information could also be used for phishing scams with malicious emails tricking users into giving away their login credentials or revealing additional sensitive data, such as financial information via too-good-to-be-true travel deals.
Further, scammers could use resume information to trick candidates with fake job opportunities and request upfront payments as fees for employment processing or background checks.
It is noteworthy that fake job scams have inflicted substantial financial losses on companies, amounting to hundreds of millions of dollars in damages.
These scams have facilitated threat actors in compromising the devices of unsuspecting users by spreading malware.
The leaked passport data and travel details of tourists could lead to serious problems.
Malicious threat actors might use this information to pretend to be someone else, causing identity theft and financial issues for tourists.
The leaked data might put tourists at risk during their travels, making them vulnerable to scams or even physical harm.
Keeping this information safe is crucial to protect tourists from various risks and ensure their safety during trips.
Fowler responsibly disclosed the issue to Inspiring Vacations, and the company has since ensured the database.
Experts advise travellers to be cautious about sharing personal information with travel agencies.
Post-exposure standard safety practices include regularly checking credit card statements for unauthorized activity and preferring fraud protection services.
Businesses collecting and storing identity documents should enhance their data security measures, conduct thorough audits, encrypt sensitive information, and implement robust cybersecurity protocols.
This Cyber News was published on www.hackread.com. Publication date: Sun, 14 Jan 2024 18:13:04 +0000