Hackers have broken into the website of New York tour company CitySights NY and stolen approximately 110,000 bank card numbers, according to news reports.
In a Dec. 9 breach notification letter published by New Hampshire’s attorney general, CitySights NY said the intruder had used an SQL injection attack on the company’s web server to upload an unauthorized script, which then allegedly compromised the security of the database on that server.
With an SQL injection attack, hackers find ways to insert real database commands into the server using the web by adding specially crafted text into web-based forms or search boxes that are used to query the back-end database, according to Networkworld.
In the CitySights NY incident, hackers were able to snatch names, addresses, email addresses, credit card numbers and their expiration dates, and Card VV2 codes.
CitySights NY’s parent company Twin America said it has taken several “important steps” to improve data security, including locking down access to its servers, installing an application firewall, and conducting an independent penetration test.