Data breach on bus websites - HCT Group under investigation

Friday 17 May 2019

Guernsey's bus top-up website has suffered a data breach over the last two weeks, with more than 400 people across the Channel Islands having their login details hacked.

A false login page appeared on both Guernsey's and Jersey's websites from around 29 April, with anyone who entered information onto either the CT Plus or Liberty Bus services pages being given an automatic password change.

HCT Group which comprises of CT Plus in Guernsey and Liberty Bus in Jersey are under investigation after they came forward to the Data Protection authorities for both islands upon recognising a data breach. 

A phishing attack, that intercepted the link between the main websites and the top-up shop website for the Puffin Pass and Jersey's Avanchi Card, was identified on 15 May but redirection notices had been being tested by hackers from as early as 29 April. 

A phishing attack involves hackers gaining data from websites by urging users to enter their sensitive data, i.e username and password with fraudulent forms. It becomes a security risk for those affected who use the same passwords across multiple websites. 

Regional Manager Kevin Hart, who also acts as the Channel Islands' Data Protection Officer, was alerted to the breach by the host website to handle payments for topping up the Puffin Pass and Jersey equivalent Avanchi Card. 

"The guys who take the money on behalf of us realised we hadn't had any traffic on any website. 

"A couple of days ago the traffic stopped, all of the people who had login details taken did so in the last two days. We reported it to both Data Protection offices and an investigation is underway. 

"We're going to be working with authorities, it could result in a fine, we just need to prove we were doing everything we could to stop it. We're telling everyone as much as we can. 

"There is a Data Protection officer internally based in London, but I am the Data Protection officer for the Channel Islands," he said. 

IT security experts on Twitter expressed their dissatisfaction with the the bus websites earlier today:

✔️ Announcement on insecure page
✔️ No HTTPS redirect
✔️ Leaks Apache version
✔️ Leaks *ancient* PHP version
✔️ No security headers to prevent framing by phishers.

Long way to go before this site & server are secured. https://t.co/CD0gpExm4Q

— Tom Brossman (@tombrossman) May 17, 2019

According to the CT Plus website a duplicate login to the top-up site was created where users were asked to fill in their email address or pass number and their password.

"After verifying the nature and credibility of the risk the duplicate page was immediately shut down and both sites are now safe.

"The breach was identified that the earliest possible date the incident could have place in Guernsey and Jersey was  29 April, the false link was removed 15 May and the Data Protection Commissioner informed and those affected have also been contacted.

"Reports show that in Guernsey 82 people were affected (361 in Jersey). Due to the nature of the data obtained, there is limited risk of fraudulent activity for those affected. No credit/debit card details were accessed and at no point was the central database of PuffinPass or Avanchicard holders compromised.

"All of those individuals affected have been sent an email which explains the level of information that was accessed and advising them that their passwords have been reset. Advice will also being given to all those who use the online shop.

"Over the course of the coming weeks the top-up section of the buses.gg and LibertyBus website may be unavailable intermittently as testing and forensic investigations are taking place and customers are advised to top-up either on the bus or at The Town Terminus Shop.

"CT Plus is now working closely with the regulatory authorities and their suppliers to investigate how this incident occurred. They are also working hard to put measures in place to ensure that an incident of this nature does not happen again," it reads. 

Any customers concerned about the issue can contact infomation@buses.gg