back to article Japan travel agency fears leak of 7.93 million records, passport deets

Japan's largest travel agency JTB Corp says 7.93 million passport details, and home and email addresses may have been stolen by hackers. Executives at the company held a press conference bowing in apology for the feared breach and telling local media it may have stemmed from staffer who opened phishing-borne malware. The …

  1. Pascal Monett Silver badge

    "[..] hacking attempts as part of its bid [..]"

    And ? You list two successful breaches and tack on a reported attempt without apparent consequence for what ? To bolster the list ?

    Come on. When you have a total of three breaches in five years to list you don't need to fluff things out - things are bad enough already.

  2. frank ly

    Why?

    Why does a travel agency feel the need to store passport details of its clients for years and years? Are they required to do this by law in japan?

    1. Warm Braw

      Re: Why?

      Travel agencies, particularly ones that make short-notice travel arrangements for business people on behalf of their employers, will likely not only have scans of the passport, but probably the front and reverse sides of credit cards and driving licences.They ought *not* to need them, but some travel suppliers insist on being faxed (ir)relevant documentation before they'll confirm a booking and as the agency is acting on behalf of the end usere, they often need to supply the end user's credentials.

      Agencies are making some, slow, efforts to become PCI compliant but even the card companies realise that they have to be cut some slack owing to the nature of the business they're in.

  3. FuzzyWuzzys
    Facepalm

    Bloody "Security Theatre"!!

    This is the annoying thing about the "security theatre", these agencies that don't need these details but governments demand they pass them on for security purposes but the travel agencies keep them for marketing. So now you have travel agencies that have no business storing these docs and governments, whose track record for security is less than stellar, losing all our details and then they all have the bloody nerve to tell us to be more careful with our personal info!!!

    1. Anonymous Coward
      Anonymous Coward

      Re: Bloody "Security Theatre"!!

      And we get the next wave of Security Theatre, encryption backdoors, aka Snoopers Charter.

      So British companies, and British owned companies abroad are supposed to sell their cloud services, communications satellites, network kit, data processing services etc. to customers WHO KNOW THAT KIT IS BACKDOORED with a GCHQ account.

      And when the backdoor is opened and all the lovely data lands in hackers hands, they'll cover their asses with 'National Security' secrecy. Try to pretend hackers are ISIS hackers or some such nonsense, to cover the basic fact that they added a third party to every conversation: Charlie.

      So Brit kit 'Charlie', could protect Alice communicating with Bob by encryption, even protect it from Charlie himself. But because Snoopers Charter requires Charlie be able to strip encryption from anything he makes, Charlie needs to be able to listen in on Alice and Bobs comms via his backdoor.

      So now 1000 customers with 1000 keys, are all as secure as ONE customer, Charlie. Not even that, because Charlie is handing that access to GCHQ and police and god knows who else, so its as secure as a News of the World reporter's laptop.

      Buy our Brit-kit, its secure, only you, me, Charlie, 1000 Chief constables, 10k civil servants, a couple of million security contractors, a hundred nosey press, your competitors..... hardly anyone can read our erm I mean your encrypted comms!

  4. Justicesays

    Not sure this adds up

    So, passports normally are valid for 10 years, they have 7.3 million of them stored and stolen, only 43,000 (assuming body ,not title, is correct) , are still valid.

    So they have 169 years of passport data ?

    Or passports are issued for much shorter times in Japan? Or did they get them all cancelled immediately?

    Why would you need to store invalid passports?

    1. Dan 55 Silver badge

      Re: Not sure this adds up

      Because they have no idea about security and don't have a routine which clears the passport from the database on the passport expiry date or one year* after the last booking, whichever is first.

      * Just to give some kind of time range, there are probably better ones.

  5. Shades

    Deets?

    The word you are looking for is "details". What are you 14 years old and writing for Buzzfeed or TMZ?

  6. Psymon

    I think that this really highlights the weakest point in any security system is the human.

    Nearly all infections of end-client systems today use large factors of social engineering, and there is no simple answer to this problem.

    The inherent issue is trust. You HAVE to have a degree of trust in everyday use of a computer system. Just like every day, you trust that when you swing your legs out of bed, gravity will allow you to stand on the floor, every day, you click on My Computer (or the equivalent) and trust that it will list your files, and not format your entire hard disk.

    But you don't KNOW that. You don't perform tests every morning to ensure that gravitational pull between the earth and your body is still functional, just like you don't parse the binary code through a hex editor every time you open your documents window, and for good reason.

    That's because in those two scenarios, it's pretty much 100% certain this will happen as expected, but then we venture into the grey areas.

    Say, you've got an old wooden ladder. You've had it years. It's a bit green with moss, but feels sturdy. How long though, before a rung snaps while you're climbing it? When is the point that you stop trusting it?

    We face the same conundrum with software on the internet. How do you KNOW that the next Adobe Flash update hasn't been compromised? Where do you draw the line? Just how dodgy does a website have to look before the risk outweighs that useful looking free app? Once you've downloaded and authorised it to install, you've got absolutely no idea what that code is actually doing, no matter what platform.

    Process monitoring might have worked in the nineties, but today, software packages are so vast that it's trivial to hide a few discreet actions amongst the flurry of of multi-processed shenanigans. And I'm not talking bloatware, either. Modern software has to cope with networked, multi-platformed, virtualised environments as par for the course.

    Microsoft implemented the UAC, which flashes up an alert when a program attempts to do something with elevated privileges, but once you grant he installer permission, you've got no idea what it's actually doing. You can argue for more layered permissions (and on domain machines we can implement them), but in practice there is so much software out there that legitimately needs to modify drivers, for example, you'd just end up blindly clicking more UACs.

    I thought Android had the solution when they implemented a permission list at the point of install, but in practice, it's just needlessly scary, and doesn't really help.

    "Woah, this gourmet app needs access to internet, my phone, my GPS, and storage!"

    Yeah, that's only so it can download the restaurants menus, show you how far away they are, allow you to phone them, and cache details.

    There's nothing to stop it using those permissions to say, upload my constant location to the NSA while scanning my photos for nudes and posting them to a Mexican gay porn site, and I'd be none the wiser.

    I just have to trust that it's doing what I expect it to, and that trust is based upon my own experience and knowledge, which is considerably higher than the average Joe.

    Further improvement has been made now the access permissions are granted dynamically, but Joe really doesn't gain much more control or awareness.

    While it still lists the permissions the app needs at the point of install, the actual access isn't granted until the app tries to use that permission for the first time. This adds a little more oversight to the user, giving you a slightly murky view into what's actually happening under the bonnet, but again, it's limited, and it relies on the user having an instinct based on experience for what could be dodgy behaviour.

    And there's nothing to stop a coder creating a trojan that legitimately DOES need the permissions it requests, and DOES use them, while also uploading your dick-pics to dirtyamigos.com. An app like that could remain undetected for a very long time. The Flash Keyboard app was only flagged because somebody asked "hey, why does a simple keyboard app need all of those permissions?"

    Then of course, you have heuristic malware scanners. These are basically anti-virus programs that look for dodgy behaviour, rather than a direct mug-shot of a know virus, but this technology has been around for decades, and has never caught on because it's AI is not much better than the average joe, flagging more false alerts than real threats, and often causing users to break software because of panicky false flags.

    Maybe heuristics will improve, but looking at the progress of the last decade I don't see it becoming our saviour any time soon.

    1. Anonymous Coward
      Anonymous Coward

      Re: I think that this really highlights the weakest point in any security system is the human.

      " How do you KNOW that the next Adobe Flash update hasn't been compromised?"

      Not really a good example. Based on the last 15 years, you can pretty well guarantee there's a hole in it somewhere. More likely several.

      1. Psymon

        Re: I think that this really highlights the weakest point in any security system is the human.

        Well, Flash certainly has a lot of security holes, granted, but I was talking more about the actual binary you are downloading being compromised.

        Along those lines though, both Flash and Java have some nasty trojans. Since when did blue-chip companies think it's acceptable to try and slip browser toolbars and homepage changes in with legitimate security updates?

        We have a few groups of machines where the users have local admin rights due to a combination of technical and political reasons, and I have to run weekly scripts cleaning out the Ask toolbar, Mcafee, and countless other pieces of performance sapping junkware from them.

        I suppose in a way, it's good training. If you can't trust names like Adobe and Oracle not to sneak unwanted crap into your machine, then you won't trust anyone. On the flip-side though, I've met a lot of users who have been brow-beaten and conditioned into accepting it as the norm.

  7. Anonymous Coward
    Anonymous Coward

    What No Seppuku for leaking all this damning data...???

    Pity, as it might have set a useful example. Hackers combined with the weakest link in any organization can bring anyone down... But accountability in Japan is as bad as everywhere else now... Even the Governor of Tokyo was caught with his hand In the cookie jar and no Seppuku... And wasn't the Mayor ousted not long ago either (500k kickback)???

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like