Alert: Hackers take 850000 limo service passengers for a ride
From KrebsOnSecurity – Corporate Car Online, a limousine and town car service, was found to have been the target of cybercriminals after a plain text archive of more than 850,000 customer credit card numbers, names, addresses, transaction records, and other private information was discovered on the same servers where stolen information from PR Newswire and Adobe Systems Inc. was found. Customers whose information was exposed included members of Congress, celebrities, and business executives.
Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.
Corporate Car Online bills itself as “The most user friendly web-based Limousine software in the industry.”
Corporate Car Online is a company based out of Kirkwood, Miss. that car services buy software from and use to streamline reservations, dispatching and payments.
Information included “details dispatchers gave to drivers heading out to pick up celebrity passengers,” the AP reported. Addresses to the places some of the celebrities’ destinations were also revealed.
“Other customers include Donald Trump, who required a new car with a clear front seat; LeBron James, who was picked up at an entrance for athletes at a Las Vegas sports arena; and Colorado Sen. Mark Udall, who was traveling to Boston with golf clubs,” the AP reported.
Adobe and PR Newswire took immediate action when they learned of the breach and alerted the public, warning millions of customers affected.
For Corporate Security officials charged with protecting high-profile, C-Suite executives, their families and others, this is an alarming development and must be reviewed as a significant vulnerability.
Corporatecaronline’s website boasts of robust data protection. “The only point of access to the servers is through our firewall, which is managed by our data centre, 24/7, 365 days a year,” it says.
But Jonathan Mayer, a cybersecurity fellow at the Center for International Security and Cooperation at Stanford University, did some poking Monday and found the website runs on outdated software prone to vulnerabilities. He said it has code dating back to Macromedia, which was acquired by Adobe nearly eight years ago; Internet Explorer 4, which rolled out in 1997; and 13-year-old Netscape 6.
“This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage,” Krebs wrote. “Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.”
Krebs didn’t rule out the possibility that the data was used to target Kevin Mandia, the CEO of Mandiant, a firm that specializes in helping companies defend against computer espionage attacks. In October, Mandia told a Foreign Policy reporter that he received several booby-trapped PDF files in e-mails posing as billing invoices for recent limo rides. Among the 850,000 exposed records were those for Mandiant employees, including Mandia.
If you are concerned that your company’s car service uses Corporate Car Online, reach out to your car service immediately to establish what software drives their service, and alert those executives and passengers in your firm that a breach of their personal travel may have occurred, including credit card information, future itineraries, and home and destination addresses.