Australian travel agency Inspiring Vacations has fallen victim to a data breach, exposing passport and travel details of thousands of customers. The Melbourne-based company, came under the spotlight when cybersecurity researcher Jeremiah Fowler discovered the Inspiring Vacations data breach.
Discovery and Scope of the Inspiring Vacations Data Breach
Fowler reported that a publicly exposed database, totaling 112,605 records and 26.8 GB in size, contained highly sensitive information. The database included high-resolution passport images, travel visa certificates, and itinerary or ticket files.
While the majority of affected individuals in the Inspiring Vacations data breach were Australian citizens, identification documents from New Zealand, the United Kingdom, and Ireland were also present.
The extent of the impact on passports remains unclear, with an estimated 1,000 identification documents in a limited sample, along with additional files detailing passport numbers and other personally identifiable information (PII). Notably, passport document names were structured to include the individual’s name in plain text.
Further examination of the Inspiring Vacations data breach revealed 48 .xls spreadsheets detailing information about 13,684 customers. This information included travelers’ names, email addresses, trip costs, destinations, and internal details.
Additionally, approximately 24,000 itinerary and e-ticket .pdf documents were present, some displaying partial credit card numbers. The database also housed internal documents, including 17,000 tax invoices to partners and affiliates specifying gross costs and commissions paid.
Upon discovering the Inspiring Vacations data breach, Fowler promptly issued a responsible disclosure notice, leading to the securing of the database from public access. The company acknowledged Fowler’s notification, expressing gratitude and confirming that no files were downloaded without redactions.
“I immediately sent a responsible disclosure notice, and the database was secured from public access. I received a reply thanking me for my notification and confirming that I didn’t download files from the database without redactions,” reads the report.
The Cyber Express Team sought official confirmation from Inspiring Vacations but received no response at the time of reporting.
Parallel Incidents
This incident follows the alleged cyberattack on Air Sino-Euro Associates (ASA Holidays) by the BianLian ransomware group. While ASA Holidays has not officially confirmed the attack, BianLian claims to have extracted a substantial amount of sensitive data, posing a significant risk to the privacy and security of employees and clients.
As authorities investigate the extent of the Inspiring Vacations data breach and affected individuals await further information, the incidents highlight the critical need for robust cybersecurity measures in the travel industry to safeguard customer data and maintain trust in the digital landscape.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
