Hacking the records of a limo company does not at first blush seem very valuable.
But a recent hack of CorporateCarOnline yielded information on 85,000 customers, including the location and financial information on “Fortune 500 CEOs, lawmakers, and A-list celebrities,” among others, according to security researcher Brian Krebs.
“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” said Alex Holden, Krebs’s research partner. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”
The information was discovered secreted away on a server that also included details from two previous data thefts, that of PR Newswire and Adobe Systems.
Research indicates that the vulnerability exploited by the hackers is probably the same ColdFusion vulnerability used by data theft site SSNDOB to crack the data brokerage sites Lexis/Nexis and Dun & Bradstreet.
Among this hack’s well-known victims, whose pickup and dropoff information and in some cases credit card numbers were captured, are NBA superstar LeBron James, actor Tom Hanks, Sen. Mark Udall, and Donald Trump.
Aside from buying a massage chair with Trump’s credit card, what good is this information?
“Records in the limo reservation database telegraphed the future dates and locations of travel for many important people,” Krebs wrote. “A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.”
Nation state hackers could also leverage this information. In fact, they may already have done so. According to Krebs, Kevin Mandia, the CEO of security firm Mandiant whose information was stolen CorporateCarOnline hack, was sent a malware-loaded PDF file disguised as a limo receipt.
Of course, tabloid journalists would also have a field day with the records, which contain a notes field. Search for “sex,” “puke,” “arrest,” “police,” or “smoking pot” and voila! Celebrity foolishness ensues.
Who says technology is boring?