Hacker hits Australian travel insurer, leaks records of 800,000 customers

Personal and limited financial information of over 800,000 customers of Australian travel insurance company Aussie Travel Cover have been stolen by a hacker that goes by the online handle “Abdilo” and is believed to be a member of the infamous Lizard Squad.

According to ABC Australia, the company has discovered the breach on December 18, 2014, and notified third party agents five days later. They also notified the authorities, but to this day its policy holders haven’t received any official word about it.

The attacker stole the contents of two databases: one containing the policy details and personal information of around 770,000 customers, and the other partial credit card numbers of some 100,000 customers.

He leaked some of this information on January 15, but it’s possible that he will sell the rest to buyers on underground black markets.

Abdilo says he’s a teenager based in Queensland, and that he has been breaking into .edu, .gov. and .mil websites of mostly US and Australian institutions and pilfering databases via SQL injections since August 2014.

He says that he left the Lizard Squad in October.

According to Brian Krebs, Abdilo registered the LizardStresser domain, and his email address has also been used to “register a number of domains tied to cybercrime operations, including sites selling stolen credit card data and access to hacked PCs.”

As a side note: DB Networks research shows that after years of steady decline, 2014 witnessed a significant uptick in SQL injection vulnerabilities identified in publicly released software packages, and the trend is expected to continue in 2015.