Cyber Incident Victim: Flight Centre Travel Group
Date:
Feb 2014
Location:
Australia
Summary
A hacker exploiting a SQL injection vulnerability in Parallels Plesk software accessed and leaked databases from the Flight Centre Travel Group after an unsuccessful extortion attempt demanding $5,000 for vulnerability details. The breach exposed staff credentials, travel club member details, wedding registration records, and shop staff accounts—including plaintext passwords—compromising personal information, contact details, and authentication data. The attacker claimed retaliation against the company for issuing DMCA takedown notices against previous disclosures, asserting the leak aimed to pressure the organization to address security weaknesses and deter legal actions against vulnerability testers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2014, an individual using the aliases 'MrNervous' or 'WhiteHatMrNervous' exploited a SQL injection vulnerability in Flight Centre Travel Group's Parallels Plesk software, gaining full access to system databases and staff authentication credentials. The attacker contacted Flight Centre's IT staff on February 9, 2014, demanding a $5,000 bounty payment in exchange for vulnerability details and resolution guidance. After receiving no response within 24 hours, the hacker publicly leaked databases from two domains: fcm.travel and flightcentreassociates.com. The fcm.travel breach exposed 165 staff accounts containing usernames, email addresses, full names, and encrypted passwords. The flightcentreassociates.com compromise revealed 1,712 travel club user details with names and emails, 3,615 wedding register entries with contact information and event specifics, and 2,798 shop staff accounts featuring plaintext passwords alongside personal details. The attacker first disclosed the breach on their blog on February 10, subsequently reposting the data to Pastebin on February 14 and March 17, ensuring prolonged public availability of sensitive information.
The hacker justified their actions as retaliation against companies ignoring security researchers, specifically citing Flight Centre's prior issuance of DMCA takedown notices against their disclosures. Public statements threatened to "bring [Flight Centre] to their knees" while advising customers to reconsider business relationships and pursue legal action over data protection failures. This incident contradicted Flight Centre's published privacy policy claiming implementation of physical, electronic, and managerial safeguards for personal information. The exposure of plaintext passwords demonstrated inadequate security practices despite corporate assurances about encryption technologies. The breach occurred amidst prior security controversies for Flight Centre, including a February 2014 court case involving $123,000 credit card fraud from another intrusion. No public containment measures or organizational responses were documented in available sources, with the company failing to reply to media inquiries about the incident.