Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 21st, 2010

CitySights NY Website Breached, 110,000 Memebers Credit Card Details Stolen

CitySights NY, a company organizing sightseeing tours in New York, notified 110,000 former customers that their credit card details were compromised after unidentified individuals hacked its website.

In a letter to the New Hampshire Attorney General’s Office, Twin America, CitySights’ parent company, revealed that the security breach was the result of an SQL injection attack.

The intrusion occurred on September 26, when hackers exploited a SQLi weakness to upload a backdoor script on its Web server. The company learned of the compromise on October 25, when a Web programmer spotted the unauthorized code and alerted his superiors.

Twin America notified the FBI and contracted outside experts to investigate the extent of the breach. It was determined that attackers obtained access to the customer database.

Compromised information includes customer names, addresses, emails, as well as credit card numbers, expiration dates and CVV2 security codes. Social Security or drivers’ license numbers were not exposed.

The company is offering all affected individuals a one-year free subscription to credit monitoring and theft insurance services from Experian. A 50% discount coupon for one of its tours was also sent along with the notification letter.

Following the breach, Twin America strengthened the security of its infrastructure. Taken measures include changing all administrative passwords and increasing their complexity, restricting access to the server’s admin panel to a limited number of IP addresses, identifying scripting vulnerabilities and fixing them, installing a Web application firewall and having an independent penetration test done.

Even though free credit monitoring services are available, we advise affected customers to cancel their credit cards and obtain new ones. Recent reports suggest that cybercriminals can wait over an year before abusing stolen financial information, precisely because they know people monitor their statements following a breach.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Cotton Traders Clothing Firm Customers Credit Card Details Stolen From Hacked Website
  • Radisson Hotels Breached, Sensitive Customer Data Exposed
  • Sony PlayStation Network Breached, 77 Million Users Private Data Stolen
  • Stolen Credit Cards For Sale
  • Online Music Service Breached By Hackers

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: CitySights NY Website Breached, 110,000 Memebers Credit Card Details Stolen

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.