Improperly stored private information leads to a heck of a crisis
Hackers who broke into the Corporate Car Online servers must’ve felt like it was Christmas morning when they came across a TEXT file listing everything from credit card numbers and private flight numbers to personal preferences and records of embarrassingly bad or illegal behavior from their clients. Bad news for anyone, certainly, but even worse when that list includes names like LeBron James, Tom Hanks, Donald Trump and a bevy of Senators and other Washington elite.
Here are more details, from the Krebs on Security blog:
The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.
In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”
It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.
Obviously the car service is facing dire crisis management concerns, but those on the list are as well. Of course they’ll have to go through the trouble of canceling their cards, but worse is the fact that, with so much private information being released, corporate secrets could be exposed, blackmail could very well be possible, and, with concerns about terrorism higher than ever before, a great number of lawmaker’s future travel plans are probably out there and available to the highest bidder.
In recent years cyber attacks on your average organization have gone from what we call the “possible, but unlikely” category of crises for, to “easily predictable,” especially for organizations which store financial data of any kind. Protect your systems, but perhaps even more importantly, prepare a crisis management plan that includes cleanup and communication for the entire ordeal. Hackers have demonstrated their ability to reach any target they want given enough incentive, you simply can not assume that next time it won’t be you.
The BCM Blogging Team