Skip to main content

A data breach at a travel agency based in Melbourne has released the private information of travellers, including passport information.

Inspiring Vacations says it is investigating the data breach involving 112,000 records totalling 26.8 gigabytes, according to a report in the Sydney Morning Herald.

The data includes high-resolution passport scans, travel visa information and at least 24,000 itinerary and e-ticket PDF documents.

The breach was discovered by cybersecurity researcher Jeremiah Fowler.

Fowler reported the breach to the company and to the Sydney Morning Herald, saying an incorrectly configured Amazon AWS cloud storage system was allowing public access to stored information.

“Any potential data breach of a tourist operator that exposes sensitive information, such as passports and tickets if discovered by hackers can pose numerous possible risks to the affected individuals,” Fowler told the newspaper.

“Hypothetically, passport data could be used for identity theft, allowing criminals to open accounts, apply for credit cards, or conduct fraudulent activity in the victims’ names.

A spokesman for Inspiring Vacations told the Sydney Morning Herald that the company had notified the Office of the Information Commissioner and the Australian Cyber Security Centre and was investigating the issue.

“We treat cybersecurity and the protection of our data seriously and we contacted staff and customers in early December to announce an investigation into these claims, supported by external experts,” a spokesman for Inspiring Vacations told the paper.

“We will update our stakeholders as this investigation progresses.”

According to Fowler, most of the affected travellers are Australian citizens, as well as customers from New Zealand, Britain and Ireland.

The exposed database also contained a folder of CVs including full names, addresses, phone numbers and email addresses, Fowler said.