Car service hack exposes credit info of nearly 1mn celebrities, politicians

Hackers infiltrated software used by a limousine company that frequently transports politicians, star athletes, corporate bigwigs and even some well-known celebrities, representatives from a US internet security firm have said.

Corporate Car Online is a Town Car service based out of Kirkwood, Missouri. Cyber-security journalist Brian Krebs identified a file with the same name, ‘CorporateCarOnline’, stored on the same server on which stolen information from PR Newswire and Adobe Systems Inc. was saved, leading to the possibility that the same perpetrators were behind each of the three hacks.

The hack in question concerns the personal and financial information on Fortune 500 CEOs, and such superstars as Tom Hanks, LeBron James, and Green Bay Packers quarterback Aaron Rodgers. Along with the big names, the hack was especially fruitful because the firm appears to have lost over 850,000 credit card numbers, expiration dates, and the corresponding names and addresses. More than 241,000 of those numbers belong to, as Krebs reported, high or no-limit American Express cards, near gold on the black market. 

“The privacy implications of this are very disturbing,” Alex Holden, chief information security officer at the Milwaukee-based Holden Security, told the Associated Press. “If we start mentioning the names, there might be widespread panic.” 

Holden also said that he was concerned Corporate Car Online was acting too slowly and he himself had begun notifying some of the affected clients and law enforcement officials. 

Krebs goes on to note that “any two-bit tabloid would have an absolute field day with this database. Simple text searches for certain words (‘sex,’ ‘puke,’ ‘arrest,’ ‘police,’ ‘smoking pot’) reveal dozens of records detailing misbehavior and all kinds of naughtiness by executives, celebrities and people you might otherwise expect to behave civilly.” 

Instructions meant for the limo or car driver were included in many of the files. Donald trump, for instance, was picked up from the Wynn Hotel in Las Vegas, Nevada on February 12, 2007. The note stipulated: “Must be new car, clean and front seat must be clear.” 

Michael D. Grimes, co-head of global technology investment banking for Morgan Stanley, hired a car on January 30, 2013: “Always wants ‘Michael David’ for name sign. Do not use last name! Always wants inside meet. VIP, co-head of worldwide technology.” 

The FBI refused comment to multiple media outlets, yet Jonathan Mayer, a cyber-security fellow at the Center for International Security and Cooperation at Stanford University, told AP this latest hack proves again it may take only the smallest break in a firewall for hundreds of thousands of users to be affected. 

“The point here is that you don’t have to be a big target to be at risk online anymore,” he said. “This is the new normal, and it underscores the need for improving the regulatory framework.”