Dear Members,.
08 Jun 2022, 19:55
Dear Members,
on 5th June 2022, an attack carried against one of Locktrip's customer support personnel managed to gain access to low level data of some of our customers.
The event involved a leak of access to a third party service provider where low level booking information was present.
This is the type of information which is generally handled in context of support operations.
This is just to inform you that:
- No passwords or credentials have leaked
- No credit cards were compromised. They are protected by top grade PCI-compliant security
- No compromise in our servers ever took place, the attack was through access credentials to third party service providers that are necessary for support operations
- The incident happened completely outside of the marketplace environment on a third-party server/service
In fact, when investigating the event logs, we could not find signs of direct data exports. However, we want to be extra careful and want to notify our community about the possibility that some limited data may have been accessed via other means (without leaving traces).
Again, we have no evidence that data was leaked. But there is a possibility for it, where approximately up to roughly 1% of registered accounts.
What may have been gained access to is:
- name
- address
- email
- only the last 4 digits of the credit card (The four digits can't be used for anything on their own. The main credit card details are stored behind top grade PCI-compliant security)
This is the first such incident that we've experienced, and we treat it with highest priority and have already implemented drastic measures to make sure our organization security is with highest possible standards, not only on infrastructure level, but also on human level as well.
Regardless of this and despite our best efforts, in our field of work, incidents are possible. We want to apologize for any inconvenience caused and hope this does not hurt your trust in our organization.
We decided that it is our duty to inform our community of this incident regardless of its classification.
For context, such type of incidents are generally classified as low risk and legally, organizations are not mandated to inform the entire user base (most don't and such incidents remain in the background).
We decided to do so anyway, as we view transparency as a critical component to this project. Those who put their trust in us either as a marketplace user or as an investor deserve to be informed about both the good and bad things in our growth journey.
Can the attacker do any harm?
As stated above, the marketplace itself was never breached and all operations including bookings and making payments are safe as ever (yesterday's issues with front-end are completely irrelevant of this event).
There is possibility however for the attacker to try target an affected member and send out phishing emails, acting as if he was the official LockTrip support or someone else. In 90% of the cases those emails will not land in your mailbox, because they are easy to spot as being spoofed by modern email clients.
Nevertheless, If you receive a suspicious email, please make sure to forward it to our team so we could try track the attackers (team@locktrip.com).