- The Daytrip travel site has been the victim of a data leakage
- According to reports, the leak originated through an external supplier
- Up to 470,000 clients could be at risk
The Daytrip travel company has had 470,000 user records and 762,000 traveling online travel orders.
The data set, discovered by CyberNews researchers, was stored in a ‘non -safe Mongodb database managed by the Daytrip subcontractor’: the data included personal identification information (PII).
The leaked information could put users at risk, especially in relation to identity theft and social engineering attacks, so anyone who has used the service must be attentive to their information. Since then, the Daytrip database has closed, and the company states that since then its work with the supplier has discontinued, this is what we know so far.
Real world risk
As an online transport service that operates in 130 countries around the world, Daytrip, as expected, maintained the information of the address of many clients, which was discovered in the data set, together with the full names, Correos Electronic, telephone numbers, partial payment details, billing information, and passenger addresses.
Although there is no evidence that the data set has been found by cybercriminals, criminals often have “automated tools looking for the web for instances without protection only to download them immediately,” confirmed the researchers, so this presents a risk of real world for the exposed.
This incident demonstrates the need for strong supervision of third parties and suppliers, especially given how dependent and interconnected are modern companies, another reminder after the notorious interruption of the Crowdstrike, which described how crucial its supplier can be.
“Apparently, the compromised database was under the control of a Daytrip subcontractor, emphasizing the importance of the strict management of suppliers and security practices consisting of all data controllers in the supply chain,” said the researchers of Cybernews.
Researchers emphasize the importance of an incident plan for companies, since it can help maintain and rebuild the confidence of customers and commercial partners after a leak, as well as mitigate reputation damage.
Data infractions can be harmful to companies, but transparency and proactive strategies beyond legal minimum can protect the organization, while hidden or minimized infractions can annihilate confidence in general.
Protection of your information
If you think this, or any other violation, could put it in danger, there are some things you can do to protect and mitigate any risk.
This particular violation is complicated, as the researchers pointed out, “the filtration entails a perfect combination of data for identity and financial fraud”, so if you use the service, we recommend being very careful.
The main risk with this type of violation is identity theft, so consult our list of the best identity theft protections for the software designed specifically to monitor and protect your accounts and details. Many of these will offer identity theft insurance that covers up to $ 1 million per adult, so it is worth at least taking a look.
If you use a service that has been the victim of a violation, we definitely recommend changing your password, and we always suggest using unique passwords for all its important sites.
We have written a more detailed guide on our tips to ensure the best password, but the short version is; Keep long, complicated and memorable passwords. If that sounds like a nuisance, then we have listed the best password administrators, as well as the best password generators to simplify the process.
The victims also run the risk of social engineering attacks, or phishing scams, in which the attackers will design personal and specific scams with the information obtained to steal more information or obtain access to their accounts.
If you are not sure what exactly a Phishing attack is, we have gathered an explanatory, but the key to avoid falling to the victim is to keep suspicious of all unexpected communications and verify double each sender, even if you think you know them.
Never deliver your passwords or give anyone access to your accounts, and be attentive to email addresses or telephone numbers not verified, and remember: it is extremely unlikely that your bank, your telephone provider or any other large company They call it get access to your accounts, so be very cautious.
