Significant Data Breach Impacts CitySights NY Customers
CitySights NY, a prominent tour operator in New York City known for its double-decker bus excursions, has reported a major data breach affecting the personal information of approximately 110,000 customers. The compromised data includes sensitive details such as names, addresses, email addresses, credit card numbers, expiration dates, and Card Verification Value (CVV2) codes.
The security incident is believed to have taken place on September 26, when cyber attackers utilized SQL injection techniques to implant a malicious script on the company’s web server. This intrusion remained undetected until October 25, when a web programmer identified the unauthorized script during routine maintenance. CitySights NY’s parent company, Twin America, has since confirmed the breach in a notification letter submitted to New Hampshire’s attorney general.
In response to this incident, Twin America has implemented several measures aimed at strengthening their data security protocols. To mitigate future risks, the company has upgraded administrative passwords to more complex variations and restricted access to critical systems by limiting it to select pre-approved IP addresses. Additionally, vulnerabilities within their scripting were patched, and an application firewall was introduced. To further safeguard customer data, systems have been reconfigured to prevent any future transactions from storing credit card information.
Affected customers have been notified of the breach, receiving an offer of a one-year complimentary membership to a credit monitoring service, along with a 50% discount coupon for a tour. However, this commendable effort was marred by a significant blunder: the discount coupon code, “012345,” was inadvertently included in the publicly released notification letter. Given the simplicity of this code, it is now widely known among the public, underscoring serious lapses in information security procedures within the organization.
This incident illustrates the vulnerabilities businesses can face, particularly when they fail to adhere to robust cybersecurity practices. The tactics employed by the attackers align with several strategies identified in the MITRE ATT&CK framework, particularly those associated with initial access through SQL injection and potential methods for establishing persistence. Moreover, the failure to secure sensitive information highlights critical shortcomings in privilege escalation measures and endpoint protection.
As the threat landscape continues to evolve, it is imperative for organizations to prioritize data security and regularly audit their systems for vulnerabilities. The repercussions of such breaches extend beyond immediate financial losses, impacting customer trust and, ultimately, the company’s reputation.
In an era where data security is paramount, business leaders must stay vigilant and educate themselves on cybersecurity best practices to safeguard their operations and customer information efficiently.