Cyber Incident Victim: Aussie Travel Cover
Date:
Dec 2014
Location:
Australia
Summary
A privately owned Australian travel insurer experienced a significant data breach when an attacker exploiting an SQL injection vulnerability exfiltrated over 770,000 customer records containing personal and policy information. The hacker, operating under the alias "Abdilo," claimed responsibility and asserted compromising multiple government, educational, and private sector websites, though affected entities indicated only non-sensitive public-facing portals were accessed. While third-party agents were notified, impacted customers were not directly informed due to the absence of mandatory breach disclosure laws. Authorities acknowledged awareness of the incident but did not confirm active investigations. The attacker subsequently targeted additional insurance and financial organizations, publicly disclosing vulnerabilities via social media while downplaying the severity of accessed government data as non-confidential.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving Aussie Travel Cover began on or before December 18, 2014, when the Australian travel insurer discovered its computer systems had been compromised by a hacker using the alias "Abdilo." The attacker exploited an SQL injection vulnerability to extract over 770,000 records containing customer names, phone numbers, email addresses, travel dates, and policy prices from the company's database. Aussie Travel Cover, a privately owned agent of Allianz, notified third-party agents about the breach on December 23 but did not inform affected policyholders directly. Australia's Privacy Commissioner Timothy Pilgrim was notified of the breach on December 22, though no mandatory disclosure requirement existed under national legislation at the time.
Abdilo publicly claimed responsibility through Pastebin.com posts and Twitter, asserting he had compromised multiple Australian government websites using similar SQL injection techniques. His stated targets included the Australian Communications and Media Authority (ACMA), Victoria Police, Australian Nuclear Science and Technology Organisation (ANSTO), and Australian Public Service Commission. Investigations by affected agencies revealed that only public-facing portals without sensitive data were breached. ACMA confirmed a vulnerable fee calculator was targeted but contained no network links or exfiltrated data. ANSTO acknowledged non-secure database access involving publicly available scientific reports and researcher work details, subsequently implementing network improvements. The Office of the Australian Information Commissioner confirmed it received no breach notifications from these agencies, as no personal information was compromised.
The hacker continued targeting other Australian entities in January 2015, including insurance provider GIO and financial service InvestSmart, through Twitter warnings about SQL vulnerabilities. While the Australian Federal Police acknowledged awareness of the incidents, they declined to confirm any active investigation. NSW Police reported no formal complaints regarding Abdilo's claims about New South Wales-based targets. Abdilo's online statements included unsuccessful attempts to access ANSTO's nuclear reactor systems and references to corrupted data storage. Security researcher Brian Krebs linked Abdilo to Lizard Squad-affiliated activities, though the hacker disputed ownership of the LizardStresser.su domain. The breach exposed systemic vulnerabilities in private sector data protection practices and highlighted gaps in mandatory breach disclosure requirements within Australia's regulatory framework at the time.