A hacker accessed databases of Australian travel insurance company Aussie Travel Cover and managed to exfiltrate information on more than 750,000 customers, as well as a huge number of policy records.

The company suffered the breach on December 18 and informed third-party agents a few days later, but failed to notify the affected customers, whose private information had been exposed.

Hacker may have additional databases

An individual with the Twitter handle Abdilo claimed the attack in a message posted on the microblogging platform that also linked to a leaked database, as proof of his deed.

The file includes log-in credentials of insurance consultants, as well as more than 770,000 policy records containing addresses, partial payment card numbers, country of residence (mostly Australia), and the ID for the insurance type.

It appears that the reason Aussie Travel Cover did not contact the affected individuals was that the investigation was at an early stage, as ABC reports, relying on an email the company sent to its consultants.

This course of action is often taken when the investigation is ongoing and more details are required to determine the extent of the breach and the information that has been exposed.

According to the publication, Abdilo may have additional databases that have not been dumped into the public domain yet. These may contain information that can be exchanged for cash on cybercrime forums and could lead to identity theft incidents.

SQL injection seems to be the attack of choice

On the Twitter feed, the hacker, who is believed to live in Queensland, refers to hacks affecting other websites, the attacks having been carried out using the SQL injection method.

In some cases, the hacker would announce the finding of a vulnerability and ask the concerned party for a contact email address to provide the necessary information.

This is used for gaining access to sensitive databases through the execution of malicious SQL statements entered in an available entry field. If the statements are not properly sanitized and the command is executed, then private data becomes reachable.

In order to solve the issue, Aussie Travel Cover has taken its website offline for about a month. Law enforcement has been involved in the investigation of the incident.