Bus passengers’ data is stolen in website attack

On Wednesday 15 May at 11am CT Plus was alerted to an incident involving unauthorised entry to the websites on buses.gg and libertybus.je, affecting 82 people in Guernsey and 361 people in Jersey.

The attack involved the creation of a duplicate login to the top-up site where users were asked to fill in their email address or pass number and their password, meaning email addresses, puffinpass or AvanchiCard numbers and account passwords were taken.

HCT Group, which runs the transport enterprise that includes CT Plus and LibertyBus, was quick to say that no cardholder details were compromised.

Kevin Hart, HCT Group’s director of the Channel Islands and the south-west, said they had emailed customers who they believe to have been affected, advising them on what has happened.

‘Customers affected have been contacted, advising them that we have changed their password and they therefore need to follow a link to reset their password.

‘We would advise all customers to reset their password if they are concerned.

‘Also we recommend that if customers use the email address and same passwords on other portals that they change them and have different login and password for each login they have.’

After verifying the nature and credibility of the risk the duplicate page was shut down.

HCT said that they have all the necessary defences in place and a high level of security.

Website vulnerabilities were found in May 2016 by Adrian Ritchie, a software developer, on the route planner section of the website.

He found that he could insert information onto the website via a link. When people clicked on that link they would have an ‘updated’ version of the website that could include viruses and malicious software.

He said: ‘I found it purely by accident when entering information into the site. It shouldn’t have been possible so I contacted them immediately to tell them. Perhaps, this previous issue could have been used, I’m not sure, I haven’t looked at it again since because of what has happened.

‘I just hope they do their due diligence and security checking as it can be quite easy to overlook an issue.’

A Jersey-based data protection specialist commented that anyone with a website that contains public data, should initiate website penetration testing to ensure the site is secure.

‘Most organisations do not have this in place and it is not required of them, but it should be good practice to do on at least an annual basis,’ they said.

‘If there has been an attack it should be done on a more regular basis, though even so, because of the sophisticated and ever-evolving nature of cybercrime, there could still be an attack.

‘Websites will never be 100% safe.’

Over the course of the coming weeks the top-up section of the buses.gg and LibertyBus website may be unavailable intermittently, as testing and forensic investigations are taking place and customers are advised to top-up either on the bus or at The Town Terminus Shop.

HCT Group’s Mr Hart added: ‘We have already put measures in place to tighten our security and are working with the regulatory authorities and our suppliers to ensure this doesn’t happen again.

‘We are deeply disappointed this incident has occurred and wish to apologise to those affected.’