Australian Travel Agency Exposed the Personal Data of Thousands of Tourists Online

Jeremiah Fowler February 13, 2024

February 13, 2024

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password-protected database that contained 112k records, which included traveler information, passport images, itinerary and ticket documents.

The publicly exposed database contained a total of 112,605 records with a size of 26.8 GB. Upon further research, it appeared that the database belonged to a company named Inspiring Vacations. I immediately sent a responsible disclosure notice, and the database was secured from public access. I received a reply thanking me for my notification and confirming that I didn’t download files from the database without redactions. According to their website, Inspiring Vacations is an Australian-owned travel company based in Melbourne and has a team located in New Delhi, India.

The exposed records contained potentially sensitive information such as high-resolution passport images, travel visa certificates, and itinerary or ticket files. A vast majority of the individuals I saw in the records appeared to be Australian citizens. However, I also saw identification documents from New Zealand, the United Kingdom, and Ireland. It is unclear how many passports were affected. I saw an estimated 1,000 identification documents in a limited sample; however, there were other files in the database that detailed the customers’ passport number and other PII. The file names of the passport documents were structured in a specific manner, to include the name of the individual in plain text.

The database also included 48 .xls spreadsheets that detailed information regarding 13,684 customers, such as the travelers’ names, email addresses, trip costs, destinations, and other internal details. There were an estimated 24,000 itinerary and e-ticket .pdf documents, some of which show partial credit card numbers. In addition to customer files, the database included various internal documents, such as 17,000 tax invoices to partners and affiliates that specify gross costs and commissions paid.

Traveling can be stressful enough with cancellations, delays, and dealing with other unforeseen circumstances and costs, which is why many people find it easier and more comfortable to use a travel agency when planning their vacations rather than doing it all themselves. However, in the digital age that we live in, tourists may need to add ‘data security’ to the long list of travel concerns. The travel industry is a lucrative potential target for cyber criminals — not only are vacations expensive (which means travelers are attractive marks), but any travel agency would need their clients’ personal information and identity documents to make reservations on their behalf. Traveling abroad, for instance, requires a passport and sometimes an entry visa. Travelers rarely consider what happens to their highly valuable personal data, how or where their information is stored, and for how long it is retained.

This image is a collage of screenshots showing exposed passport images stored inside the database.

This screenshot shows how customer data was stored in the .xml documents. It shows their names, emails, deals or trips they purchased, as well as internal pricing and cost information.

This screenshot shows an e-ticket that contained the names of the travelers, flight information, frequent flyer number, and partial credit card data.

This screenshot shows the CV or resume of a potential applicant to the company. The database contained over 100 of such documents.

❮❯

Potential Risks

Any potential data breach of a tourist operator that exposes sensitive information, such as passports and tickets, if discovered by ill-intention hackers (which we don’t know), can pose numerous possible risks to the affected individuals. A passport is a government-issued identification document that contains a wealth of personal information. Hypothetically, passport data could be used for identity theft, allowing criminals to open accounts, apply for credit cards, or conduct fraudulent activity in the victims’ names. In the age of biometric technology, it is increasingly difficult to create forged or counterfeit passports for travel. However, a fake identification document could be used for know your customer (KYC) compliance requirements to open a financial account. Identity documents can also potentially be used for numerous illegal activities. One possible example would be if a cyber criminal is engaged in an extortion scheme (with a victim who is unrelated to the data breach) and needs a way to accept the blackmailed funds. In this scenario, the criminal could simply open an account with a legitimate crypto exchange or financial app using the name and personal details from one of the exposed passports. I am not saying there is an imminent risk of illegal activity, I am only giving an example of how the exposed documents could potentially be used.

Ticket information may sometimes include partial payment details. Cybercriminals might exploit this information if they also know details such as the name of the cardholder, type of card used, expiration date, and last 4 digits. For instance, using social engineering techniques, the criminal could contact the victim and attempt to obtain the missing numbers by posing as an employee. They could reference details about the trip to gain the client’s trust and claim there is a small fee still owed. Once the criminal has the full credit card information, they could make unauthorized transactions.

Exposed email addresses can also be a potential risk for phishing and malware distribution. By now, most of us can easily spot an email phishing attempt, but when the criminal knows details about us or perhaps a vacation we went on or a company we have done business with in the past, the success rate of the scam greatly increases. Social engineering is the most successful of all methods of cybercrime with an estimated 98% of attacks involving some level of social interaction. Hypothetically, criminals could target travel agency customers by sending them emails with too-good-to-be-true travel deals, aiming to obtain deposits, payments, or credit card information. In this case, given the available information in the exposed database, the criminal could see how much each traveler paid for their vacation and rank them as high- or low-value targets based on their previous purchases.

The exposed database also contained a folder of CVs or resumes. These documents include much more personal information that can potentially be exploited for various malicious purposes, as they contain full names, addresses, phone numbers, and email addresses. Criminals could easily send phishing emails posing as potential employers or recruiters to trick candidates into revealing more sensitive data like financial information, tax ID numbers, identification documents, or additional personal details. There is a risk of criminals using information from resumes to lure candidates into fake job opportunities and request an upfront payment, claiming there is a fee for employment processing or a background check. Once the criminal has the payment details, they could make unauthorized charges until the bank or the victim identifies the fraudulent activity.

All of the above potential risks mentioned would suppose hackers discovered the breach while it was still accessible, which we don’t and cannot know.

How to Prevent This

Australia has a data privacy law that consists of a Notifiable Data Breaches scheme where an organization must notify individuals and the relevant authorities of possible serious harm or risks. The organization has up to 30 days to assess whether a data breach is likely to result in serious harm. I highly recommend that any business that collects and stores identity documents enhance their data security measures, conduct thorough audits of their systems, encrypt any sensitive information they collect or store, and implement robust cybersecurity protocols to prevent future potential data incidents and protect their customers’ data. Companies could also delete sensitive customer records that are not in use or give them a time limit and an expiration date.

It is unclear how long the database was exposed or who else may have gained access to the publicly accessible records. Only an internal forensic audit would identify any unauthorized access or suspicious activity. As an ethical cyber security researcher, I never download or extract the data that I discover. It is important to note that the disclosure of my findings should not be construed as an indication of any wrongdoing by Inspiring Vacations or their partners and affiliates. I would also like to clarify that my report does not imply that customers or individuals are inherently at risk. I only provide the factual details of my discovery and give real world and hypothetical scenarios of how exposed data could be potentially used for fraudulent activities. My primary objective is to foster data protection and awareness by highlighting potential vulnerabilities.