- Travel site Daytrip has fallen victim to a data leak
- The leak reportedly originated through a third party vendor
- Up to 470,000 customers could be at risk
Travel company Daytrip has had 470,000 user records and 762,000 travel orders compromised online.
The dataset, discovered by Cybernews researchers, was stored on an ‘unsecured MongoDB database managed by Daytrip’s subcontractor’ – the data included personally identifiable information (PII).
The leaked information could put users at risk, especially concerning identity theft and social engineering attacks, so anyone who’s used the service should be vigilant with their information. The Daytrip database has since been closed, and the company claims it has since discontinued its work with the vendor, here’s what we know so far.
Real world risk
As an online ride-hailing service which operates in 130 countries across the globe, Daytrip unsurprisingly held the address information of many customers, which was discovered in the dataset, alongside the full names, emails, phone numbers, partial payment details, billing information, and passenger addresses.
Although there’s no evidence the dataset was found by cybercriminals, criminals often have ‘automated tools that scour the web for unprotected instances only to immediately download them’, researchers confirmed – so this presents a real world risk for those exposed.
This incident proves the need for strong third-party and vendor oversight, especially given just how reliant and inter-connected modern businesses are – another reminder after the notorious CrowdStrike outage, which outlined just how crucial knowing your vendor can be.
“The compromised database was apparently under the control of a Daytrip subcontractor, emphasizing the importance of strict vendor management and consistent security practices across all data handlers in the supply chain,” the Cybernews researchers said.
Researchers stress the importance of an incident plan for companies, as it can help maintain and rebuild customer and business partner trust after a leak, as well as mitigate reputational damage.
Data breaches can be harmful for firms, but transparency and proactive strategies beyond just the legal minimum can protect the organization, whereas concealed or downplayed breaches can annihilate trust all round.
Protecting your information
If you think this, or any other breach, might put you in danger – there are a few things you can do to protect yourself and mitigate any risks.
This breach in particular is a tricky one, as researchers pointed out, “the leak carries a perfect blend of data for identity theft and financial fraud”, so if you use the service, we recommend being very careful.
The primary risk with this sort of breach is identity theft, so check out our list of the best identity theft protections for software specifically designed to monitor and protect your accounts and details. A lot of these will offer identity theft insurance covering up to $1 million per adult, so it’s worth at least taking a look.
If you use a service that has been the victim of a breach, we would definitely recommend changing your password, and we always suggest using unique passwords for all your important sites.
We’ve written a more detailed guide on our tips for securing the best password, but the short version is; keep passwords long, complicated, and memorable. If that sounds like a hassle, then we’ve listed the best password managers, as well as all the best password generators to simplify the process.
Victims are also at risk of social engineering attacks, or phishing scams, in which attackers will design personal and specific scams with the information obtained in order to steal more information from you, or gain access to your accounts.
If you’re not sure what exactly a phishing attack is, we’ve put together an explainer – but the key to avoiding falling victim is staying suspicious of all unexpected communications and double checking every sender – even if you think you know them.
Never give out your passwords or give anyone access to your accounts, and be on the lookout for unverified email addresses or phone numbers, and remember – it’s extremely unlikely that your bank, your phone provider, or any other large company would be calling you to get access to your accounts – so be very wary.
