Over 350 passwords compromised in bus company data breach

Friday 17 May 2019

LibertyBus has launched an investigation after its top-up website suffered a data breach over the last two weeks, with over 350 islanders having their login details hacked.

A false login page appeared on both Jersey and Guernsey’s websites from around 29 April, with anyone who entered information onto either Liberty Bus or CT Plus pages being given an automatic password change.

A phishing attack that intercepted the link between the main websites and the top-up shop website for the Puffin Pass and Jersey's AvanchiCard, was identified on 15 May.

A total of 361 people were affected in Jersey.

Phishing attacks involves hackers gaining data from websites by urging users to enter their sensitive data (i.e username and password) with fraudulent forms. It becomes a security risk for those affected who use the same passwords across multiple websites. 

IT security experts on Twitter expressed their dissatisfaction with the the bus websites earlier today:

✔️ Announcement on insecure page
✔️ No HTTPS redirect
✔️ Leaks Apache version
✔️ Leaks *ancient* PHP version
✔️ No security headers to prevent framing by phishers.

Long way to go before this site & server are secured. https://t.co/CD0gpExm4Q

— Tom Brossman (@tombrossman) May 17, 2019

LibertyBus have now confirmed that the top-up section of their website will be unavailable intermittently as testing and forensic investigations are undertaken. Customers are instead advised to top up in person at Liberation Station.

The bus prover said it was “deeply disappointed” that the breach occurred and apologised to those affected.

“LibertyBus is now working closely with the regulatory authorities and their suppliers to investigate how this incident occurred. They are also working hard to put measures in place to ensure that an incident of this nature does not happen again,” the company said in a statement.

Regional Manager Kevin Hart, who also acts as the Channel Islands' Data Protection Officer, told Express he alerted to the breach by the host website to handle payments for topping up the Avanchi Card and Guernsey equivalent, the Puffin Pass. 

"The guys who take the money on behalf of us realised we hadn't had any traffic on any website. 

"A couple of days ago the traffic stopped, all of the people who had login details taken did so in the last two days. We reported it to both Data Protection offices and an investigation is underway. 

"We're going to be working with authorities, it could result in a fine, we just need to prove we were doing everything we could to stop it. We're telling everyone as much as we can. 

"There is a Data Protection officer internally based in London, but I am the Data Protection officer for the Channel Islands," he said. 

Customers with concerns are urged to contact info@libertybus.je.