NY Tour Company Hacked, 110,000 Records Stolen

The website of New York double decker bus tour company CitySights NY has been breached, and about 110,000 bank card numbers have been stolen using an SQL Injection attack, according to New Hampshire’s attorney general.  A web programmer discovered an unauthorized script uploaded to the company’s web server which is believed to have been used to compromise the security of the database and server.

In SQL injection attacks, hackers sneak database commands into the server for execution using the Web by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.  In this incident, they were able to get names, addresses, e-mail addresses, credit card numbers and their expiration dates, and Card Verification Value 2 codes, used to validate online credit card purchases.

The company has taken steps to secure their environment, began notifying customers about the incident two weeks ago, and victims are being offered one year free credit monitoring and a 50% off coupon for another CitySights NY tour.  So, how security minded has this incident made the company?  The coupon’s security code is “012345”.  ACK!