A major travel insurance provider and several government websites are among those hacked by an attacker claiming to be a former LizardSquad member
Aussie Travel Cover, one of Australia’s largest sellers of travel insurance, has been hit by a hacker who stole more than 770,000 records, including customers’ personal data, and who claims to have compromised a number of other government websites.
The Australian Broadcasting Corporation (ABC) on Monday reported that Aussie Travel Cover, an agent of Allianz, became aware of the hack on December 18 of last year and alerted third-party agents on 23 December, but did not inform customers.
The data stolen included names, phone numbers, email addresses, travel dates, how much policies cost and partial credit card details, according to ABC. The company reportedly took its website offline for a month to fix the SQL injection vulnerability used in the attack.
Meanwhile, the hacker claiming responsiblity for the attack, using the online alias “Abdilo”, released the stolen data online.
Aussie Travel Cover reportedly said in an email to its agents that it had engaged consultants to help investigate the breach, so that “at this stage, there is no reason to advise policyholders”.
Australian law does not require the disclosure of data breaches.
Government site breaches
Several Australian government organisations confirmed that Abdilo, who claims to be a 16-year-old living in Queensland, had breached websites containing non-sensitive data.
The Australian Communications and Media Authority (ACMA) and the Australian Nuclear Science and Technology Organisation (ANSTO) both told ZDNet Australia that they had detected SQL injection attacks by Abdilo, but that the sites affected were public-facing portals that handle data that is already public or is scheduled for public release at a later date.
Abdilo claimed in a message on the Pastebin code-sharing website that he had compromised dozens of commercial and government websites both in Australia and abroad, while in more recent Twitter messages he claims to have hacked other insurance companies and universities.
The hacker said he carried out the attacks out of boredom.
On Pastebin, he wrote that his “plan” had been to “mess with ANSTO’s nuclear reactor, but the closest I got was stealing all of their error logs & chemicals & scientist doxes”. “Dox” is an online slang term referring to identity data.
ANSTO told ZDNet that the compromised database does indeed include “publication and experiment titles, names of researchers, and which experiments are running”, but said this data is mostly either “currently publicly accessible on our website or released after two or three years anyway”.
Are you a security pro? Try our quiz!