Flight Centre Travel Group Data Leaked After Attempted "Extortion"

[Audrey McNeil <audrey () riskbasedsecurity com>]

https://www.riskbasedsecurity.com/2014/04/flight-centre-travel-group-data-leaked-after-attempted-extortion/


A hacker who goes by the handle 'MrNervous' or 'WhiteHatMrNervous' has been
up to some questionable activities earlier this year which has resulted in
data being leaked and a business being given a very short time to pay a
"bounty" to fix a vulnerability.

WhiteHatMrNervous has posted that the Flight Centre Travel Group had been
contacted by him/her about a breach that occurred on the 9th of February in
which s/he had tried to advise the IT staff of the issue and how it should
be resolved, but requested a US$5,000 "bounty" for the information. After
waiting for only one day without a reply, s/he published two site databases
on various file hosting websites: fcm.travel and flightcentreassociates.com.

The two databases have resulted in very different types of data becoming
public, both via a very common but not very published method. Like this
case, many hackers are are finding vulnerabilities in web sites, extracting
data, and asking for a payout to tell the site how to fix the data. If no
money is forthcoming, then the data gets posted publicly to shame the
company

This is not the first time we have seen methods like this used, but
normally the waiting period between requesting the bounty (or as many see
it "attempted extortion") is typically a lot more than one day. The breach
was first posted to the hacker's blog on the 10th then later to pastebin on
the 14th of February and 17th of March. That means this data has been
floating around online for several weeks now.

In a statement by the self-proclaimed "whitehat" hacker posted on the 17th,
s/he stated the motivation behind the breach is that companies are ignoring
requests for such bounty payments or to even speak to the volunteer
"penetration-testers". Rather than work with the person trying to help them
(to some degree), they have been sent DMCA take-down notices over previous
leaked databases pushing them to focus on the Flight Centre Travel Group.

"This aggravated the whole situation and the pentester is now focussed on
Flight Centre Travel Group of companies to find flaws in all of them and
download their data to later publish it online. So that, next time they and
any other company thinks twice before sending a Takedown notice or taking
any action of any kind against the Tester"

MrNervous has also stated that s/he is going to "bring them to their knees"
and advised that the customers should think twice about using the site in
the future, going so far to advise them about lawsuits.

"Now it might just be the time, when the customers of Flight Centre Travel
Group will rethink on whether they should continue to deal with this
company as they do not actively monitor nor safeguard the security of their
dataBase, which contains their client's private data, contact details, and
a lot.

"If you are one of their Client or planning to deal with them for your
travel plans, or if you even send them queries for travel plan, Please be
informed that all the data you share with them will be all out there,
published on the Internet. You might then want to file lawsuits against
them if your confidential data is among the data which is leaked.

"Flight Centre Travel Group, I will bring you on your knees! "

The breach was carried out by abusing a SQL injection vulnerability in the
Parallels Plesk software that resulted in complete system database access
as well as all staff authentication credentials.

On a side note, the complete range of Flight Centre websites use a common
privacy policy which appears to contradict what has been leaked, as it
states they strive to protect personal information and have various
measurements in place to do so. Yet they have plaintext passwords for 2,798
users showing that even basic password hashing is not being performed.

"Flight Centre has implemented various physical, electronic and managerial
security procedures in order to protect personal information from loss and
misuse, and from unauthorized access, modification, disclosure and
interference.

"Flight Centre regularly reviews security and encryption technologies and
will strive to protect your personal information as fully as we protect our
own confidential information."

Its also not the first time Flight Centre has come in the cross-hairs of
hackers or the media. Earlier in February, a hacker appeared in court over
accessing credit card details which resulted in $123,000 worth of fraud.

We have reached out to the staff at Flight Centre for comment, but have not
received a reply yet.

Leaked Data Statistics:

http://fcm.travel

165 staff accounts with full login credentials such as user names, email
addresses, full names, and encrypted passwords.

http://FlightCentreAssociates.com

1,712 travel club user details including names, emails, and usernames.

3,615 weddingregisterforms emails, full names, locations, contact details,
and wedding details.

2,798 shop staff accounts with contact information such as full names and
email addresses, as well as their plaintext passwords.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!