Reports that the Web site of a New York-based tour firm has been hacked and around 110,000 bank card details lifted by hackers may have repercussions for the company on the PCI DSS front.
The hack itself occurred via a SQL Injection attack. In such an attack, the hacker gains illegal access to information in the database. As media reports have shown, the hacker launched the attack on September 26 over a 3 week period obtaining over 100K credit card details including the account number, expiration date, CVV2, and other personal identifying information such as home and email addresses.
My team had investigated this attack, and what they found was an Indonesian hacker’s blog listing numerous websites vulnerable to attack, including the site of CitySights. Interestingly enough, the blog’s entry was dated September 9th – more than two weeks prior to the initial attack campaign.
While this case clearly illustrates the security misgivings the company suffered from, CitySights may also be in breach of the PCI DSS industry regulation. The PCI regulation, mandated by major credit-card processing companies such as Visa and Mastercard, defines the required security controls to be placed on the storage and processing of credit cards. The PCI regulation includes specific requirements in regards to the storage of unencrypted credit card data as well as prohibiting the storage of sensitive authentication data (CVV2) all together.
Since the hacker was able to gain access to this data may indicate that the firm’s data security practices are not aligned with PCI DSS requirements.
The tour company had offered a 50% discount voucher to its affected customers. Ironically enough they posted the discount code online, making it in short available for anyone.