14 DAY TRIAL // CitySights NY, a company organizing sightseeing tours in New York, notified 110,000 former customers that their credit card details were compromised after unidentified individuals hacked its website.
In a letter [pdf] to the New Hampshire Attorney General's Office, Twin America, CitySights' parent company, revealed that the security breach was the result of an SQL injection attack.
The intrusion occurred on September 26, when hackers exploited a SQLi weakness to upload a backdoor script on its Web server.
The company learned of the compromise on October 25, when a Web programmer spotted the unauthorized code and alerted his superiors.
Twin America notified the FBI and contracted outside experts to investigate the extent of the breach. It was determined that attackers obtained access to the customer database.
Compromised information includes customer names, addresses, emails, as well as credit card numbers, expiration dates and CVV2 security codes. Social Security or drivers' license numbers were not exposed.
The company is offering all affected individuals a one-year free subscription to credit monitoring and theft insurance services from Experian. A 50% discount coupon for one of its tours was also sent along with the notification letter.
Following the breach, Twin America strengthened the security of its infrastructure. Taken measures include changing all administrative passwords and increasing their complexity, restricting access to the server's admin panel to a limited number of IP addresses, identifying scripting vulnerabilities and fixing them, installing a Web application firewall and having an independent penetration test done.
Even though free credit monitoring services are available, we advise affected customers to cancel their credit cards and obtain new ones. Recent reports suggest that cybercriminals can wait over an year before abusing stolen financial information, precisely because they know people monitor their statements following a breach.