CitySights NY, a company that organizes New York City tours on double-decker buses, has experienced a significant data breach. The personal information of 110,000 customers, including names, addresses, email addresses, credit card numbers, expiration dates, and Card Verification Value (CVV2) codes, was stolen.

The breach likely occurred on September 26, when attackers used an SQL injection to upload a malicious script to the web server. The intrusion was discovered on October 25 by a web programmer who found the unauthorized script. According to a breach notification letter sent to and published by New Hampshire's attorney general, Twin America, CitySights NY's parent company, confirmed the compromise.

In response to the breach, Twin America has taken several steps to enhance data security, including:

  1. Changing all administrative-level passwords to more complex ones.
  2. Restricting access to the administration panel and server to a few pre-approved IP addresses.
  3. Patching scripting vulnerabilities and setting up an application firewall.
  4. Reconfiguring systems to ensure future transactions are processed without storing credit card data.

Twin America has also notified affected customers, offering them a one-year free membership to a credit monitoring service and a 50% discount coupon for a tour. However, they made a significant mistake by attaching the discount coupon code to the breach notification letter published by New Hampshire's attorney general. The coupon code, "012345," is simple to guess and now widely known, as it was included in the published letter. This oversight highlights the need for the company to take information security more seriously.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.