Fota Wildlife Park cyberattack: Thousands may be vulnerable as financial and other personal details compromised

Cork visitor attraction ‘is in the process of contacting all potentially impacted customers’

Fota Wildlife Park. Photograph: Neil Danton
Fota Wildlife Park. Photograph: Neil Danton

The financial details of tens of thousands of people may have been compromised in the Fota Wildlife Park cyber attack, with victims also more vulnerable to targeted scam emails in the future, a leading cyber security expert has warned.

Customers who bought tickets on the park’s website between the middle of May and the end of August have been told to cancel debit or credit cards following the cyberattack and urged to review transactions on their accounts since May 12th, to identify any suspicious activity.

Those registered with the site have also been told usernames, passwords and email addresses linked to the account may have been compromised and they have been urged to change any passwords also on other accounts.

“On becoming aware of this activity, we took immediate steps to investigate and identify what information had been accessed on our website in order to carry out containment measures,” an email sent to impacted customers said.

READ MORE

It added external forensic cyber security experts had been engaged and the incident notified to the Data Protection Commission. The park said it would co-operate fully with an investigation.

A spokeswoman for the Data Protection Commission confirmed it received a breach notification from Fota Wildlife Park that is being assessed.

A spokeswoman for the Banking and Payments Federation of Ireland (BPFI) said that the wildlife park had “not yet confirmed what information has been compromised by the attack” and added that its members “have not seen a significant uptick in queries or reports of unusual account activity from customers since the alert was issued”.

More than 400,000 people visit the wildlife park each year with most going during the summer months so tens of thousands of credit and debit cards details may now be in the hands of criminals.

The likelihood is those behind the data breach will seek to sell the financial information as well as password and email details on the dark web with the details likely to be circulated in the market for many months, although its value will diminish with the passage of time.

“The fact that they have recommended people cancel their credit cards suggests strongly that full credit card numbers have been stolen.” said Paul C Dwyer, the president of the International Cyber Threat Task Force.

He noted that under industry data-security standards vendors do not store whole credit card numbers or CVV numbers and said “this hack suggests the compromise was on the website itself and that when people were putting in their details, the bad guys were sitting there just sucking down the data for quite a considerable amount of time.”

Mr Dwyer said it was known as a man-in-the-middle attack and “because of the date range, it is likely they were in the system for quite some time and that the whole card details are in the hands of the cyber criminals now”.

“They are telling people to cancel credit and debit cards, and it is beyond precautionary measures. That doesn’t happen often these days because of all the controls in place,” he continued.

He suggested the implications of that would depend on the scale of the criminal enterprise behind the breach.

“We have low-level criminals who will get a few credit card numbers and use them to buy things online to resell and turn into cash quickly.” he said. “More sophisticated criminals collect spreadsheets full of maybe 10,000 or 20,000 card details.”

The data may also have more value because there is a “commonality between all of the details that are stolen [and] the people whose data has been compromised all like animals or like holidaying in Ireland or in Cork, and they will be at risk of getting phishing emails that are specific to that. There’s a higher rate of these scams being successful”.

Mr Dwyer warned that criminals “will also have email address, names, mobile numbers and IP addresses and the operating system people used and they’ll understand whether you use an iPhone or an Android. They’ll understand all of these things and all of these tiny little pieces on their own might not be much use but when you put them together they can have real value.”

He said the information would start losing value immediately “and people started changing passwords. It starts to go stale and because of that it will just go down in value and eventually it will be pretty useless and no longer attractive on the underground marketplace”.

Conor Pope

Conor Pope

Conor Pope is Consumer Affairs Correspondent, Pricewatch Editor

Jack White

Jack White

Jack White is a reporter for The Irish Times