Website for Tour company CitySights NY hit by hackers

20.12.2010
Hackers have broken into the website of the New York tour company CitySights NY and stolen about 110,000 bank card numbers.

They broke in using a SQL Injection attack on the company's Web server, CitySights NY said in a Dec. 9 breach notification letter . The company learned of the problem in late October, when, "a web programmer discovered [an] unauthorized script that appears to have been uploaded to the company's web server, which is believed to have compromised the security of the database on that server," the letter said.

CitySights NY believes that the SQL injection compromise occurred about a month earlier, on Sept. 26. In a SQL injection attack, hackers find ways to sneak real database commands into the server using the Web. They do this by adding specially crafted text into Web-based forms or search boxes that are used to query the back-end database.

This was , who in March received the related to hacking the systems of Heartland Payment Systems, TJX and other companies.

In the CitySights NY incident, hackers were able to get names, addresses, e-mail addresses, credit card numbers and their expiration dates, and Card Verification Value 2 codes, used to validate online credit card purchases.

CitySights NY is best known as the operator of a fleet of blue double-decker buses, used to drive tourists around Manhattan. The company could not be reached for comment Monday.