Breach Notification , Geo Focus: Asia , Geo-Specific

Australian Travel Agency Exposes Passport Data of Thousands

Misconfigured Cloud Database Exposed 26.8 GB of Scans, Email and Social Accounts
Australian Travel Agency Exposes Passport Data of Thousands
Melbourne Airport terminal (Image: Shutterstock)

Australian travel company Inspiring Vacations is investigating a misconfigured cloud database that exposed passport details and the personal information of tens of thousands of travelers.

See Also: An Identity Security-first Approach to the Evolving Threat Landscape

The Melbourne-based online travel company said in a media statement Tuesday that it launched an investigation with help from external experts in early December to determine the extent of the data exposure. "We will update our stakeholders as this investigation progresses," it said.

Australian cybersecurity researcher Jeremiah Fowler, who discovered Inspiring Vacations' exposed cloud database and reported it to the company, said the 26.8-gigabyte database contained 112,605 records that included customers' full names, photos, passports, identification documents, email addresses and other personal identifiable information in plain text.

Launched in 2018, Inspiring Vacations offers bargain-priced holiday tour packages through its head office in Melbourne and has a dedicated team located in New Delhi. The company reported revenues of AU$77 million in the 2023 financial year.

Fowler said a vast majority of the exposed data records potentially affected Australian citizens but also included customers from the U.K., New Zealand and Ireland. He said he accessed 48 spreadsheets that contained the names, email addresses, trip costs and internal details associated with more than 13,000 customers.

"In addition to customer files, the database included various internal documents, such as 17,000 tax invoices to partners and affiliates that specify gross costs and commissions paid," he said in a blog post.

If accessed by malicious actors, passport details could be used for identity theft, Fowler warned. Criminals can use these details to open accounts, apply for credit cards or commit fraud in the victims' names. Bad actors also can open cryptocurrency wallets in victims' names and accept the proceeds of cybercrime in those wallets.

The Australian Passport Office said it is aware of the cyber incident affecting Inspiring Vacations but assured its customers that affected passports are still safe to use for international travel.

"Investigation into the cyber incident has found evidence that some personal information was compromised. This includes a number of Australian passport images," the passport office said. "Your passport number cannot be used to obtain a new passport. Robust controls are used to protect passports from identity takeover, including sophisticated facial recognition technology."

Inspiring Vacations said it collects travelers' email addresses, phone numbers, passports, social media accounts and their accounts with online chat services. It stores the collected information in secure on-site and off-site facilities and restricts access with passwords or through physical restrictions.

The travel company did not say how long the cloud database had been exposed before Fowler discovered it and why it did not encrypt customers' personal identifiable information. The company did not respond to Information Security Media Group's request for a comment at the time of publication.

Cloud storage has become essentially indispensable for Australian businesses, and Gartner said it expects the country's public cloud spending to reach AU$23.2 billion in 2024, up 19.3% from 2023. According to a Thales study, Australian businesses haven't succeeded in securing their cloud assets commensurate with the speed of adoption.

The study found that 37% of Australian businesses experienced cloud data breaches in 2023, and human error was the leading cause of such incidents. With only 7% of businesses encrypting more than 60% of their sensitive data in the cloud, data exposures have turned into major personal data breaches, Thales said.

The Australian Cyber Security Center said in its 2022-2023 Cyber Threat Report that cybercriminals typically use stolen personal data to commit identity theft or to conduct phishing campaigns for financial gain. Compromised personal information also ends up in dark web marketplaces where it is traded by malicious actors, the ACSC said.

"Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear-phishing, fraud or to leverage that person to gain other privileged accesses and information," it added.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.