A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.
In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”
It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.
Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research in this post, said CorporateCarOnline confirmed to him that the data was stolen from its systems.
“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”
Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.
Below are some of the rich and famous whose pick up and drop-off information — and in some cases credit card data — was in the stolen archive. Nearly all of these individual records were marked with “VIP” or “SuperVIP!” notations. Included in quotes are notes left for the chauffeur.
LeBron James – Thomas & Mack Center sports arena, athlete entrance, July 22, 2007; “Call Lynn upon arrival.”
Tom Hanks – Chicago Midway, June 19, 2013; “VVIP. No cell/radio use with passenger/prepaid. 1500 W. Taylor Street Chicago, Rosebud, Dinner Reser @8pm”
-House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.), July 4, 2011, Indianapolis International Airport; “Meet and Greet Baggage Claim. US Congressman. A DFTU situation” [not quite sure what this stands for, but my guess is “Don’t F*** This Up”]
-Sen. Mark Udall (D-Colo.), chair of the Senate Armed Services Committee’s Subcommittee on Strategic Forces. Boston Logan Intl. Airport, Sept. 14, 2009; “Contact if need be Yolanda Magallanes [link added]. Client will have golf clubs with him.”
Other current members of Congress whose information appears in this database include Rep. Joe Garcia (D-Fla.); Rep. Gus Bilirakis (R-Fla.); Rep. Jim Matheson (D-Utah); Rep. Lynn Westmoreland, Rep. Joe Baca (D-Calif.), Rep. Mario Diaz-Balart (R-Fla.).
A number of former lawmakers were passengers with limo companies that gave their customer data to CorporateCarOneline, including:
-Sen. Tom Daschle (D-SD), Des Moines, Iowa, July 21, 2010; “Ag Innovation Committee. Passengers plus luggage. Passengers: Lori Captain, Mary Langowski, Jonathan Sallet, Tom West, Jim Collins, Senator Tom Daschle, JB Penn, Anthony Farina.”
-Sen. John Breaux (D-La.), Aug. 27, 2010; “Ambassador Steven Green & Senator Breaux. ***VIP***DO NOT COLLECT”
-Donald Trump, Wynn Hotel, Las Vegas, Feb. 12, 2007: “Must be new car, clean, and front seat must be clear.”
-Michael D. Grimes, co-head of global technology investment banking for Morgan Stanley. Jan. 30, 2013; “Always wants ‘Michael David’ for name sign. Do not use last name! Always wants inside meet. VIP, co-head of worldwide technology.”
-Bruce Chesley, director, advanced space and intelligence systems, Boeing; LAX, July 5, 2013.
-Josue Christiano Gomes da Silva, chairman and CEO of Companhia de Tecidos Norte de Minas, the largest textile group in Latin America, June 2, 2013: “Cheauffeur meets inside luggage claim with printed name sign. SUPER VIP CLIENT. EVERYTHING MUST BE PERFECT!”
-Patrick M. Prevost, president and CEO, Cabot Corp. June 2, 2013; “SUPER VIP he is CEO of Cabot Corp!”
AMMO FOR TARGETED ATTACKS?
This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage. Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.
Such information would be extremely useful in the hands of nation-state level attackers. For a very relevant and timely example of this, consider the cyber spying story printed last month by Foreign Policy magazine. That piece featured an interview with Kevin Mandia, the chief executive of Mandiant, an Alexandria, Va. based firm that specializes in helping companies defend against cyber espionage attacks. In the FP story, Mandia said he recently was the target of a targeted cyber attack that tried to foist malicious spyware on him via an email with a booby-trapped PDF copy of a recent limo invoice.
“I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” Foreign Policy quoted Mandia as saying. According to the story, Mandia only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload,” Mandia said.
Incredibly, this purloined limo database may have played a part in those attacks. Among the 850,000+ records in the stolen CorporateCarOnline data are several travel records for Mandiant employees, including Kevin’s. Other Mandiant employees who used limo services via CorporateCarOnline include David Swanson, manager of strategic solutions at Mandiant, and Andrew Williams, a sales account executive. I shared the Mandiant data with a representative for the company, which declined to comment for this story.
Any two-bit tabloid would have an absolute field day with this database. Simple text searches for certain words (“sex,” “puke,” “arrest,” “police,” “smoking pot”) reveal dozens of records detailing misbehavior and all kinds of naughtiness by executives, celebrities and people you might otherwise expect to behave civilly.
For example, the following is an explanation taken from a limo reservation made back in May 2006 by a woman working for MTV. The limo in question was actually a stretch Hummer with capacity to seat 14 passengers, and was rented for the occasion of visiting a series of wineries in Long Island, NY. When the stretch Hummer returned to the shop after disgorging its passengers, the fleet’s owners discovered that the vehicle had been plastered with cheese slices and crackers, and that someone had left behind a sex toy:
“We would like to apologize for the inconvenience that was caused at the beginning of Your rental and we hope that by giving You 2 hours free of overtime we made it up to You. The power problem was out of our control and could not be foreseen since right before dispatching the car everything was properly working. After the vehicle returned to base we discovered that it was left in a complete mess. Slices of cheese were all over the seats, windows and the bars. On top of that, crackers were left on the floor and seats crushed by people sitting and walking all over it. We are transportation company not a restaurant and we specifically put in our terms and conditions that we do not allow any food in our limousines. Also we do not allow any sexual activities in the car and we have found sex toy while cleaning the car. We have charged your card for cleaning fee of $100 since we had to send limousine to the car wash to get it detailed after all the activities during your rental.”
Tags: Aaron Rodgers, American Express, Bruce Chesley, ColdFusion, Corporatecaronline.com, Dan Leonard, Donald Trump, Jorgen Vig Knudstorp, Josue Christiano Gomes da Silva, Kevin Mandia, Kjeld Kirk Kristiansen, LeBron James, Mandiant, Michael D. Grimes, Morgan Stanley, MTV, Patrick M. Prevost, Rep. Billy Tauzin, Rep. Gus Bilirakis, Rep. James Saxton, Rep. Jim Matheson, Rep. Joe Baca, Rep. Joe Garcia, Rep. John Conyers, Rep. Lynn Westmoreland, Rep. Mario Diaz-Balart, Rep. William Delahunt, Sen. John Breaux, Sen. Tom Daschle, Tom Hanks