Inspiring Vacations data breach exposes passports, travel documents

“In this scenario, the criminal could simply open an account with a legitimate crypto exchange or financial app using the name and personal details from one of the exposed passports.”

A spokesman for Inspiring Vacations said the company was investigating the issue and had notified regulators including the Office of the Information Commissioner and the Australian Cyber Security Centre.

“Inspiring Vacations has notified the Office of the Australian Information Commissioner of the incident,” a spokeswoman for the OAIC said. “We are making preliminary inquiries with Inspiring Vacations regarding its compliance with the notifiable data breaches scheme.”

Australia’s mandatory reporting laws mean companies must notify the government if they become aware a cybersecurity incident has occurred.

“We treat cybersecurity and the protection of our data seriously and we contacted staff and customers in early December to announce an investigation into these claims, supported by external experts,” a spokesman for Inspiring Vacations said.

“We will update our stakeholders as this investigation progresses.”

According to Fowler, most of the affected travellers are Australian citizens, as well as customers from New Zealand, Britain and Ireland.

The exposed database also contained a folder of CVs including full names, addresses, phone numbers and email addresses, Fowler said.

“Criminals could easily send phishing emails posing as potential employers or recruiters to trick candidates into revealing more sensitive data like financial information, tax ID numbers, identification documents, or additional personal details,” he said.

“There is a risk of criminals using information from resumes to lure candidates into fake job opportunities and request an upfront payment, claiming there is a fee for employment processing or a background check. Once the criminal has the payment details, they could make unauthorised charges until the bank or the victim identifies the fraudulent activity.”

Inspiring Vacations was named an Australian Financial Review “fast starter” in 2023, when its co-founders said they had a stated goal of building a billion-dollar company by 2025.

“Inspiring Vacations is a leading Australian-owned travel company with stores across the globe, including the United States and India. A trusted brand, the tour operator has won numerous awards, sending tens of thousands of happy customers on vacations to exciting destinations on all seven continents,” the company’s website reads.

“We offer a wide range of tour packages, carefully crafted to ensure that each trip is unique and unforgettable, with options ranging from fully guided tours to self-drive adventures, luxury cruises to iconic train journeys, and so much more.”

It’s unclear how long the database was exposed and if hackers accessed the information.

“Only an internal forensic audit would identify any unauthorised access or suspicious activity,” Fowler said.

“I highly recommend that any business that collects and stores identity documents enhance their data security measures, conduct thorough audits of their systems, encrypt any sensitive information they collect or store, and implement robust cybersecurity protocols to prevent future potential data incidents and protect their customers’ data.

“Companies could also delete sensitive customer records that are not in use or give them a time limit and an expiration date.”

As this masthead reported over the weekend, the recent wave of data breaches and cyberattacks are not an outlier but a “new normal”, according to cyber professionals, who say a cultural shift is needed more than any new suite of technical defences.

According to the Australian Signals Directorate, an intelligence agency, more than 127,000 hacks against Australian servers were recorded in the 2022 and 2023 financial years, an increase of more than 300 per cent over the prior year.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

“In this scenario, the criminal could simply open an account with a legitimate crypto exchange or financial app using the name and personal details from one of the exposed passports.”

A spokesman for Inspiring Vacations said the company was investigating the issue and had notified regulators including the Office of the Information Commissioner and the Australian Cyber Security Centre.

“Inspiring Vacations has notified the Office of the Australian Information Commissioner of the incident,” a spokeswoman for the OAIC said. “We are making preliminary inquiries with Inspiring Vacations regarding its compliance with the notifiable data breaches scheme.”

Australia’s mandatory reporting laws mean companies must notify the government if they become aware a cybersecurity incident has occurred.

“We treat cybersecurity and the protection of our data seriously and we contacted staff and customers in early December to announce an investigation into these claims, supported by external experts,” a spokesman for Inspiring Vacations said.

“We will update our stakeholders as this investigation progresses.”

According to Fowler, most of the affected travellers are Australian citizens, as well as customers from New Zealand, Britain and Ireland.

The exposed database also contained a folder of CVs including full names, addresses, phone numbers and email addresses, Fowler said.

“Criminals could easily send phishing emails posing as potential employers or recruiters to trick candidates into revealing more sensitive data like financial information, tax ID numbers, identification documents, or additional personal details,” he said.

“There is a risk of criminals using information from resumes to lure candidates into fake job opportunities and request an upfront payment, claiming there is a fee for employment processing or a background check. Once the criminal has the payment details, they could make unauthorised charges until the bank or the victim identifies the fraudulent activity.”

Inspiring Vacations was named an Australian Financial Review “fast starter” in 2023, when its co-founders said they had a stated goal of building a billion-dollar company by 2025.

“Inspiring Vacations is a leading Australian-owned travel company with stores across the globe, including the United States and India. A trusted brand, the tour operator has won numerous awards, sending tens of thousands of happy customers on vacations to exciting destinations on all seven continents,” the company’s website reads.

“We offer a wide range of tour packages, carefully crafted to ensure that each trip is unique and unforgettable, with options ranging from fully guided tours to self-drive adventures, luxury cruises to iconic train journeys, and so much more.”

It’s unclear how long the database was exposed and if hackers accessed the information.

“Only an internal forensic audit would identify any unauthorised access or suspicious activity,” Fowler said.

“I highly recommend that any business that collects and stores identity documents enhance their data security measures, conduct thorough audits of their systems, encrypt any sensitive information they collect or store, and implement robust cybersecurity protocols to prevent future potential data incidents and protect their customers’ data.

“Companies could also delete sensitive customer records that are not in use or give them a time limit and an expiration date.”

As this masthead reported over the weekend, the recent wave of data breaches and cyberattacks are not an outlier but a “new normal”, according to cyber professionals, who say a cultural shift is needed more than any new suite of technical defences.

According to the Australian Signals Directorate, an intelligence agency, more than 127,000 hacks against Australian servers were recorded in the 2022 and 2023 financial years, an increase of more than 300 per cent over the prior year.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.