Categories: Security

Australian Insurance Firm and Government Websites Hacked

Aussie Travel Cover, one of Australia’s largest sellers of travel insurance, has been hit by a hacker who stole more than 770,000 records, including customers’ personal data, and who claims to have compromised a number of other government websites.

The Australian Broadcasting Corporation (ABC) on Monday reported that Aussie Travel Cover, an agent of Allianz, became aware of the hack on December 18 of last year and alerted third-party agents on 23 December, but did not inform customers.

The data stolen included names, phone numbers, email addresses, travel dates, how much policies cost and partial credit card details, according to ABC. The company reportedly took its website offline for a month to fix the SQL injection vulnerability used in the attack.

Meanwhile, the hacker claiming responsiblity for the attack, using the online alias “Abdilo”, released the stolen data online.

Aussie Travel Cover reportedly said in an email to its agents that it had engaged consultants to help investigate the breach, so that “at this stage, there is no reason to advise policyholders”.

Australian law does not require the disclosure of data breaches.

Government site breaches

Several Australian government organisations confirmed that Abdilo, who claims to be a 16-year-old living in Queensland, had breached websites containing non-sensitive data.

The Australian Communications and Media Authority (ACMA) and the Australian Nuclear Science and Technology Organisation (ANSTO) both told ZDNet Australia that they had detected SQL injection attacks by Abdilo, but that the sites affected were public-facing portals that handle data that is already public or is scheduled for public release at a later date.

Abdilo claimed in a message on the Pastebin code-sharing website that he had compromised dozens of commercial and government websites both in Australia and abroad, while in more recent Twitter messages he claims to have hacked other insurance companies and universities.

The hacker said he carried out the attacks out of boredom.

Nuclear hack

On Pastebin, he wrote that his “plan” had been to “mess with ANSTO’s nuclear reactor, but the closest I got was stealing all of their error logs & chemicals & scientist doxes”. “Dox” is an online slang term referring to identity data.

ANSTO told ZDNet that the compromised database does indeed include “publication and experiment titles, names of researchers, and which experiments are running”, but said this data is mostly either “currently publicly accessible on our website or released after two or three years anyway”.

Abdilo also claimed to have joined the hacking group LizardSquad from August to October of last year. The group claimed responsibility for disabling the Xbox and PlayStation networks in December.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago