A hacker who broke into the IT systems of leading travel operators
and programmed their systems to issue more than £100,000 in
fraudulent credit card refunds, may have had access to lists of
passwords kept by the travel firms' software supplier.
Anite Travel, which supplied ferry booking software to the
companies that were hacked, is investigating the theory that
current or former members of staff may have passed copies of the
password list to the hacker, who appears to have been acting on
inside information.
About 70 or 80 IT and technical staff in Anite Travel would have
had access to an unencrypted file containing details of the
passwords and the phone numbers used to access their systems.
"Anyone can copy a single file from an unprotected network share
and have all the customer modem numbers and access passwords. An
unhappy worker could mail this out," said one source.
One theory is that the lists could have been sent out by a current
or former member of staff using an Internet chat service.
The disclosure has highlighted concerns about poor security in the
travel industry, which relies on systems and technologies long
since abandoned by other sectors of the economy.
"The password list is obviously very important to their customers.
One would have thought it would not be on a network at all and it
would be in encrypted form," said Peter Sommer, a security expert.
The hacker used software from the Internet, Zap2, to delete his log
files and cover his tracks, it emerged.
Anite Travel declined to comment.