Inspiring Vacations has clarified that the number of individuals at risk of a data breach at the company is “significantly smaller” than suggested in recent media reports.
Earlier in the week, reports circulated that thousands of people’s personal information, including passport images, travel itineraries and tickets, were leaked in a major data breach at Inspiring Vacations. The news, originally broken by the Sydney Morning Herald, said that there had been a data breach at the firm in November last year. Inspiring Vacations has since conducted an investigation into the breach.
The data breach was originally discovered by cybersecurity researcher Jeremiah Fowler who said the exposed data was accessed through an Amazon Web Services cloud storage bucket that had been misconfigured to allow public access.
In a statement, Inspiring Vacations said that it carried out an “in-depth forensic investigation [was] conducted during the Christmas break, in which experts supported the organisation in determining what personal information may have been included in the accessed dataset”. Following the investigation, the tour operator said it was able to provide accurate information to its stakeholders.
Inspiring Vacations’ managing director, Paul Ryan, apologised for the breach and “for any concern or distress that our initial communications in December might have caused.
“We were determined to contact all potentially impacted people at the earliest opportunity, before investigations allowed us to engage directly with the group who face a risk of data misuse.”
Upon identification, the impacted cloud storage bucket was immediately secured and the incident contained. Since that time, Inspiring Vacations’ investigation have confirmed no that there had been no further access to its IT environment.
“Finding out what happened and determining how to prevent reoccurrence has been of paramount importance since we were first made aware of the claims,” Ryan added.
“The completion of our investigation and the ability to provide the necessary precautionary steps for those people impacted is the result of painstaking work by many people within our organisation.”
All at risk individuals have now been provided with specific details about the nature of data impacted and steps that can be taken to mitigate any risk presented.
An update in the investigation has been provided to the Office of the Australian Information Commissioner and other related agencies.