Threat Management, Vulnerability Management

NYC bus tour company’s database hacked of credit card info

The credit card details belonging to customers of CitySights NY were stolen when a database belonging to the sightseeing bus tours company was hacked.

How many victims? Approximately 110,000.

What type of personal information? Names, home addresses, email addresses, credit card numbers, expiration dates and CVV2 numbers.

What happened? Thieves exploited a SQL vulnerability to access a database on the company's web server. The hackers launched the SQL script on Sept. 26 and gained access to the database until Oct. 19. Six days later, a web programmer discovered the exploit.

What was the response? CitySights NY notified affected customers and provided them with one year of free credit monitoring and identity theft protection services. In addition, victims received a coupon good for 50 percent off select tours. They were told to purchase online, using the code of "012345."

The company has taken steps to improve its security posture, including tightening password use, closing database vulnerabilities, deploying an application firewall and conducting penetration tests.

Quote: "The company continues to monitor its systems and has reconfigured its systems so that transactions will be processed without storing credit card data on the company's servers," wrote attorney Theodore Augustinos in a letter to the New Hampshire attorney general's office.

Source: Letter to New Hampshire attorney general's office, Dec. 9, 2010.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.