Travel Agency and COVID-19 Testing Platform Exposed Client Data
19.01.2024

Below you’ll find details on two notifiable information security incidents.

The first incident occurred at a travel agency based in Melbourne. Inspiring Vacations has experienced a significant data leak, which resulted into exposure of 26.8 GB database.

Uncovered by cybersecurity researcher Jeremiah Fowler, the exposed database, owned by Inspiring Vacations, contained 112,605 records, encompassing personal information of numerous tourists. The compromised database housed data on 13,684 customers.

The exposed data included:

  • High-resolution passport images
  • Full names
  • Email addresses
  • Trip costs
  • Travel visa certificates
  • Passport numbers
  • Internal company documents
  • 24,000 itinerary and e-ticket documents, some displaying partial credit card numbers. 

While the majority of individuals affected were Australian citizens, identification documents of New Zealand, the United Kingdom, and Ireland residents were also discovered.

Although the exact number of affected passports is uncertain, the sample revealed approximately 1,000 identification documents.

The second incident also resulted in a large amount of customer information being leaked.

The data leak at Coronalab.eu, a Dutch COVID-19 testing platform, resulted into exposure of the database with 11.8 million patient records. The prerequisite for the incident was  misconfiguration of the Google Cloud Storage bucket named "prod," containing 1.7 million files and 11.7 million records on individuals from 44 countries. The  bucket was used for operational and production data management. 

The exposed data, spanning 2020 to 2022, comprised 120K Covid certificates in QR code formats and 32K CSV files with over 11.7 million test results. The exposed personal information included:

  • Full names
  • Nationalities
  • Dates of birth 
  • Passport numbers
  • Covid results
  • Email addresses
  • Phone numbers. 

Most of the leaked information belongeds to residents of Denmark, but information on residents of the UK, the Netherlands, the US, Germany and Italy was also among the data exposed.


You can also read about two similar incidents we reported earlier, the LY Corporation data leak and the LADBible group incident.


Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.