BreachExchange mailing list archives
Flight booking site Option Way exposed personal info on customers
From: Destry Winant <destry () riskbasedsecurity com>
Date: Mon, 9 Sep 2019 08:13:44 -0500
https://www.scmagazine.com/home/security-news/flight-booking-site-option-way-exposed-personal-info-on-customers/ A data breach at flight booking site Option Way exposed personal details on passengers and their flight and travel plans. Researchers at vpnMentor led by Noam Rotem and Ran Locar were “able to access over 100 GB of data, a massive amount of customers’ unencrypted Personally Identifiable Information (PII),” including names, birth dates, gender email addresses, destinations, flight prices and flight departure and return dates. User emails were accessible through “‘incorrect password’ reset links,” which exposed exposed the wide database to potential hacks, and Option Way users to a lot of potential fraud,” the researchers wrote in a blog post. “During our investigation, we also found the company’s credit card details unmasked and viewable to anybody with access to the database,” the researchers said, referring to the breach as a “goldmine for identity thieves and other attackers.” “Companies need to be aware that their digital surface can also be leveraged by attackers seeking a way to obtain personal info or a springboard into the company,” said Elad Shapira, head of research of Panorays. “This is what is called the company’s “attack surface” and it includes outdated technologies such as open ports that provide Web services into/from the internal company servers, misconfigured and not hardened servers, open and exposed AWS S3 buckets, and even inadvertently exposed internal sites due to server misconfiguration.” Shapira said companies should “evaluate their attack surface and continuously monitor it for any changes that may pinpoint a threat,” including evaluating third parties. “In today’s digital world, companies outsource their data storage, processing and analysis to other services, such as was the case here with Option Way,” he said. “Companies had provided Option Way their sensitive and confidential employee and customer details.” _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Flight booking site Option Way exposed personal info on customers Destry Winant (Sep 09)