Aussie Travel Agency Data Leak Puts Thousands of Tourists at Risk

Melbourne-based travel agency, Inspiring Vacations, left a massive 26.8 GB database publicly exposed, devoid of any security measures like authentication or passwords.

A data leak at a Melbourne-based travel agency has exposed the personal information of thousands of tourists, raising concerns about online security and privacy in the travel industry.

The leak was discovered by cybersecurity researcher Jeremiah Fowler and reported to WebsitePlanet. Fowler came across a publicly exposed database containing 112,605 records spanning 26.8 GB and owned by the Australian travel agency Inspiring Vacations.

The exposed data include high-resolution passport images, travel visa certificates, and itinerary or ticket files. Most of the individuals in the records were Australian citizens, but identification documents from New Zealand, the United Kingdom, and Ireland were also found.

The number of affected passports is unclear but around 1,000 identification documents were found in a limited sample—other files detailed customers’ passport numbers and other personally identifiable information (PII). The file names were structured to include the individual’s name in plain text.

The database stored data on 13,684 customers, including names, email addresses, trip costs, and destinations, contained in 48 Excel spreadsheets. It also contained 24,000 itinerary and e-ticket documents, some showing partial credit card numbers, and internal company documents, including 17,000 tax invoices to partners and affiliates.

Type of records exposed in the data leak (Screenshots: WebsitePlanet)

The database remained undetected for an unknown period, potentially putting the impacted tourists/individuals at risk of identity theft, fraud, and other cybercrime. What’s worse is that it contained a folder of CVs or resumes, which cybercriminals can also exploit for identity theft, fraud, and other cybercrimes. Phishing emails could trick users into revealing sensitive data, such as financial information via too-good-to-be-true travel deals.

Additionally, Cybercriminals could use resume information to trick candidates with fake job opportunities and request upfront payments as fees for employment processing or background checks.

Moreover, passport data can be used for identity theft, allowing criminals to open accounts, apply for credit cards, or conduct fraudulent activities in victims’ names. Fake identification documents can be used for KYC compliance requirements and illegal activities like extortion schemes.

Ticket information may contain partial payment details, which cybercriminals can exploit using social engineering techniques. Exposed email addresses can also be a risk for phishing and malware distribution.

Fowler responsibly disclosed the issue to Inspiring Vacations, and the company has since ensured the database. So far, there is no indication of unauthorized access or suspicious activity. An internal forensic audit would identify that. Experts advise travellers to be cautious about sharing personal information with travel agencies.

Post-exposure standard safety practices include regularly checking credit card statements for unauthorized activity and preferring fraud protection services.

Businesses collecting and storing identity documents should enhance their data security measures, conduct thorough audits, encrypt sensitive information, and implement robust cybersecurity protocols. Companies could also delete sensitive customer records or set a time limit and expiration date.

****RELATED ARTICLES****

1. Int’l Dog Breeding Org WALA Exposes 25GB of Pet Owners Data
2. User data exposed in Australia’s 2nd-largest telecom firm breach
3. Data Leak Exposes 1.5B Real Estate Records, Including Kylie Jenner
4. Texas School Safety Software Data Leak Endangers Student Safety
5. Aussie Defence Force Communications Service Hit by Ransomware Attack