Aussie Travel Cover hack exposes details of 770,000 customers

A major data breach has hit one of Australia's leading travel insurers, exposing details of three quarters of a million policy holders. But while the hack occurred last year, customers have remained in the dark.

Claire Reilly Former Principal Video Producer

Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.

Expertise Space | Futurism | Robotics | Tech Culture | Science and Sci-Tech Credentials

Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)

See full bio

Claire Reilly

Jan. 19, 2015 6:49 p.m. PT

3 min read

A major travel insurance agency has been compromised in an "illegal hacking incident," exposing the personal information of roughly three quarters of a million Australians. But despite the data breach occurring in December 2014, customers have remained in the dark until now.

Aussie Travel Cover, an "authorised representative" of Allianz Global Assistance, was hit with an SQL injection attack last December, allegedly at the hands of a hacker based in Queensland. The type of attack allowed the hacker to insert code into the company's systems and thereby compromise databases to obtain customer information.

The incident is now under investigation by the Australian Federal Police, but the purported hacker has posted a "backup" of the information obtained in the attack. This list outlines the specific data stolen from Aussie Travel Cover's systems, including the details of roughly 770,000 insurance policies, with customer names, addresses, dates of birth and even the number of children included on a policy.

Well now if anyone wants to go start an irl mail campaign against australians they have 770k people who use said insurance company
— abdilo (@abdilo_) January 16, 2015

According to a report on the ABC's PM program, which first revealed the breach to the public, the hack occurred on December 18, 2014, and ATC notified its third party agents a few days later on December 23. However, policy holders whose details were compromised were not informed at this time, and some customers remained unaware of the breach until contacted by the ABC.

In informing its agents via email, the company wrote, "at this stage, there is no reason to advise policyholders".

Australia currently has no laws requiring companies to disclose data breaches, even of this magnitude, meaning Aussie Travel Cover was under no legal obligation to inform customers that their personal information had been compromised -- regardless of how this information may be used by hackers or third parties.

The hacker -- a Queenslander who goes by the name "abdilo" according to ABC reports -- has taken to Twitter to boast of the attack. Abdilo's profile, which talks up the hacker's credentials as an "Advanced Persistent Sqlier" (referencing the SQL Injection method of attack) also warns that other companies may be at risk of a similar attack, including GIO Insurance.

.@GIOInsurance i sent you an email the other day trying to report a sqli to you... might wanna check your emails.
— abdilo (@abdilo_) January 16, 2015

Aussie Travel Cover has not responded to repeated requests for comment, including questions about why it did not initially disclose the breach to customers. However, Allianz Global Assistance, the company that underwrites ATC's policies and for which ATC acts as an authorised representative yesterday released a statement on the matter.

An Allianz Global Assistance spokesperson confirmed the "illegal hacking incident" had occurred, saying "data of a number of [ATC's] customers" had been accessed, but not "full" credit card details.

Aussie Travel Cover has confirmed they do not hold the full credit card details of its customers in any database. Tests are being conducted by Aussie Travel Cover to ascertain the extent of the data that has been compromised. To date, there is evidence of only one client record being accessed, and this customer has been contacted.
The travel insurance specialist and partner of Allianz Global Assistance immediately acted to shut down any further breach opportunities. The affected database has been secured and urgent action is underway to ascertain the cause of this violation.
Aussie Travel Cover has confirmed that they have referred this matter to the Australian Federal Police who are currently investigating.

For its part, an AFP spokesperson said the Federal Police are "aware of this matter" but that the law enforcement agency has "a long standing practice of not confirming or denying who it is investigating".

"Activities such as hacking, creating or propagating malicious viruses or participating in DDOS attacks are not harmless fun," the spokesperson said. "Criminal acts such as this can result in serious long-term consequences for individuals, such as criminal convictions or imprisonment."

Allianz Global Assistance said it was providing support to Aussie Travel Cover, including "leveraging the strength" of its "global IT security and infrastructure" in order to resolve the issue.

Aussie Travel Cover and GIO have both been contacted for comment and we will update this story with information as we receive it.