Customer info stolen in Aussie Travel Cover data breach

A large-scale data breach at insurer Aussie Travel Cover has resulted in personal information for hundreds of thousands of policy holders being posted online by a teenage hacker from Queensland.

First reported by the ABC, the two stolen Aussie Travel Cover databases contain over 870,000 records in total. The travel insurer was told of the breach on December 18 and notified its agents five days after.

Log files posted on January 17 with counts of database entries sighted by iTnews showed similar numbers, making it one of Australia's largest data breaches to date.

The databases contain sensitive customer information such as names, home addresses and other personally identifiable data, along with partial credit card details.

One database - named 'banking' - appeared to contain financial information relating to ATC agents. Data from two ATC-related domains, Chi Travel Insurance and Kiwi Travel Cover, also appear to have been captured by the hacker.

ATC confirmed the data breach, and along with its parent company Allianz issued a formal notification of the information leakage yesterday, more than a month after it was made aware of the issue. 

Allianz said ATC did not hold customers' full credit card details in the stolen database. Only one client record was been accessed and that customer has been notified, Allianz said.

However other customers appear not to have been notified, according to the ABC, which sighted an email from the ATC to its agents.

The ATC reportedly told its agents it had brought in consultants to investigate the breach but did not see any reason to advise its policy holders of it.

Queensland teenager "Abdilo" claimed responsibility for the attack on Twitter, and posted the databases on a website that has since been taken down.

Abdilo, whose real name is not yet known, told the ABC he hacked the travel insurance company because he was bored.

The 16-year-old has not attempted to hide his location, and posted on Pastebin that he has been attacking a large number of academic and educational websites in the United States and Australia since August last year.

Australian and US government and military websites were also on Abdilo's list of targets. He has attempted to gain access to databases on the Australian Consumer and Competition Commission and Australian Communications and Media Authority websites, and posted some of the vulnerability information gleaned on Pastebin.

Abdilo also today posted a "preview" on Pastebin, with links to files said to come from the website for Metropolitan State University in Saint Paul, Minnesota in the US.

Abdilo has claimed that he had joined the Lizard Squad hacking group, which claimed to be behind the large-scale denial of service attacks on Sony PlayStation and Microsoft's Xbox gaming networks.

Security journalist Brian Krebs linked Abdilo to the hacking group and its LizardStresser DDoS paid-for service by looking up registrant data for the domains in question.

The Australian Federal Police are investigating the data breach after both the Queensland and New South Wales police forces declined to look into the matter.