(WEB HOST INDUSTRY REVIEW) -- New York City bus tour company CitySights NY (www.citysightsny.com) announced earlier this month that a SQL injection attack on its web server compromised about 110,000 credit card numbers.
Although the breach happened on September 26, it was discovered a month later on October 25 when a web programmer noticed the unauthorized script.
The breach became public on December 9 when a letter sent to New Hampshire Attorney General Michael Delaney from CitySight's parent company, Twin America, was posted online. Around 300 New Hampshire residents were among those affected by the attack.
In the letter, Twin America suggests the Payment Card Industry (PCI) guidelines for storing card data were not being met.
The database held customer financial data, including the customer's name, address, email address and credit card information. Included in the credit card information was the expiration date and card verification value (CVV2) data.
With this additional credit card information, Twin America was in violation of PCI regulations on data retention, which bans retailers from permanently storing the CVV2 data because it makes it much easier to create fraudulent transactions when combined with the other card information.
Twin America says in the letter that it has taken measures to improve its data security. These steps include: changing all administrative level passwords, limiting the access to the administration panel and the server to a handful of pre-approved IP addresses, patching scripting vulnerabilities and setting up an applications firewall, and reconfiguring its systems so future transactions are processed without storing credit card data.
Twin America has sent breach notification letters to the affected customers, offering them one-year free membership with a credit monitoring service and a coupon with a 50 percent discount for one of their tours.
Several reports suggest Twin America still has security improvements to make however, noting that the coupon code published in the breach notification letter was 012345.
Database Security Best Practices
OWASP Top 10 2010
Securing Cloud Data
Please Wait... |