Cybersecurity researcher Jeremiah Fowler uncovered a significant data exposure related to Australian travel company Inspiring Vacations. The non-password-protected database contained 112,605 records, featuring extensive traveler information, passport images, travel visa certificates, and itinerary or ticket files. The exposed data posed potential privacy risks, as it included high-resolution passport images and other sensitive details. After Fowler responsibly disclosed the vulnerability, the company secured the database and acknowledged the notification, emphasizing the importance of data security in the travel industry.
The exposed records predominantly pertained to Australian citizens, with additional identification documents from New Zealand, the United Kingdom, and Ireland. The compromised data also revealed around 1,000 identification documents in a sample, although it remained unclear how many passports were affected. Furthermore, the exposed database contained 48 .xls spreadsheets disclosing information about 13,684 customers, including names, email addresses, trip costs, destinations, and internal details. Additionally, there were roughly 24,000 itinerary and e-ticket .pdf documents, some containing partial credit card numbers, along with 17,000 tax invoices to partners and affiliates.
The incident underscores the vulnerability of personal data in the travel industry, where customers often entrust agencies with sensitive information for trip reservations. The potential misuse of passport images and other personally identifiable information raises concerns about identity theft and cybercriminal activities. As tourists may not be aware of how their data is stored, the incident serves as a reminder of the importance of data security in an industry that handles extensive personal information for travel arrangements.