Anite Travel, which supplied ferry booking software to the companies that were hacked, is investigating the theory that current or former members of staff may have passed copies of the password list to the hacker, who appears to have been acting on inside information.
About 70 or 80 IT and technical staff in Anite Travel would have had access to an unencrypted file containing details of the passwords and the phone numbers used to access their systems.
"Anyone can copy a single file from an unprotected network share and have all the customer modem numbers and access passwords. An unhappy worker could mail this out," said one source.
One theory is that the lists could have been sent out by a current or former member of staff using an Internet chat service.
The disclosure has highlighted concerns about poor security in the travel industry, which relies on systems and technologies long since abandoned by other sectors of the economy.
"The password list is obviously very important to their customers. One would have thought it would not be on a network at all and it would be in encrypted form," said Peter Sommer, a security expert.
The hacker used software from the Internet, Zap2, to delete his log files and cover his tracks, it emerged.
Anite Travel declined to comment.