Hackers somehow gained access to a popular limousine firm’s database and stole millions of records, including some of those belong to A-list celebrities, lawmakers and business moguls, from LeBron James to U.S. congressmen to Donald Trump, according to cyber security experts.
Cyber security researcher and blogger Brian Krebs told ABC News he discovered the mountain of confidential data weeks ago while poking around servers belong to a hacking group he believes to be connected to last month’s massive Adobe breach.
“It was pretty clear… that these were the same attackers, or at least a group of attackers that were using the same resources,” he said.
Cyber security firm Hold Security, which worked to investigate the cache of information with Krebs, posted on their website that it had identified a stolen database “with nearly 10 million records” that it said belonged to CorporateCarOnline, a St. Louis-based company that specializes in providing “software solutions” for car and limo service companies.
Both Hold Security and Krebs reported CorporateCarOnline confirmed the breach, but declined to discuss the matter further. A spokesperson for CorporateCarOnline was not immediately available for comment to ABC News. Under the heading “Your Data Security,” the company says on its website the company says it has a firewall to protect against cyber attacks and says the company “takes multiple steps to ensure your data is adequately protected.”
Krebs said it’s unclear how the hackers gained access to the information, but reportedly found in the records are potentially disastrous financial records, like numbers for high-rollers’ high- or no-limit credit cards, and tabloid-friendly, salacious details of alleged drug use and sex in the limos.
On his blog KrebsOnSecurity, Krebs doesn’t name names when it comes to the more scandalous information – and does not say whether they apply to any A-listers or to a myriad of other passengers — but does give more mundane examples of the circumstances under which some high-profile clients should be picked up.
For example, for Donald Trump a note is made that when he was picked up for a 2007 ride in Las Vegas the car “must be a new car, clean, and front seat must be clear.” Tom Hanks is called a VVIP and the driver is instructed not to use his cell or radio when the passenger is in the car. The driver for Sen. Mark Udall, D.-Colo., was forewarned the lawmaker was traveling with golf clubs when he arrived in Boston in September 2009. For LeBron James, the message was as simple as telling the driver to meet him at the athletes entrance to the Thomas & Mack Center in July 2007 – apparently right after the All-Star played in the 2007 State Farm USA Basketball Challenge in Las Vegas. Michael Grimes, high-level official at Morgan Stanley, would apparently prefer is the driver did not put his last name on the sign when they meet.
Krebs said its likely some of the credit card information has already made its way to the black market, where the high- or no-limit accounts are worth more than most in the internet’s underground, but he was unsure if the other unusual details had been posted online by whoever stole them in the first place.
Still, Alex Holden of Hold Security told The Associated Press Monday, “The privacy implications of this are very disturbing.”