DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

CardCrypt: 16 Companies Exposed Customers Unencrypted Credit Card Data

Posted on December 11, 2015 by Dissent

Jett Goldsmith writes:

A security vulnerability affecting 16 companies worldwide, including Air Canada, the CN Tower, and the San Diego Zoo, has potentially revealed the unencrypted credit card data of hundreds of thousands of customers, according to a report by threat detection firm Wandera.

Read more on Neowin.

Over on Wandera’s blog, they write:

Today, Wandera announced the discovery of the CardCrypt security flaw affecting sixteen companies, including four major airlines – Air Canada*, easyJet*, AirAsia and Aer Lingus*. Each of the companies has been failing one of the most basic of security requirements by not fully encrypting the traffic to the payment portion of their mobile web site or app. This means that customers who use these services unknowingly may have had their credit card information sent ‘in the clear’, and have been at risk of having that information stolen.

* UPDATE: We are pleased to say we have learned that easyJet, Chiltern Railways, San Diego Zoo, CN Tower, Aer Lingus and Air Canada have now confirmed there is no ongoing issue. We will continue to assist others in trying to swiftly resolve this issue.

Reportedly, it was not just credit card numbers that were leaking in some cases:

What information was exposed?
Every one of the companies has exposed the full credit card number unencrypted. All of the companies, except for Air Canada, also exposed the CVV number. But the CardCrypt flaw is not limited to just this information.  Alarmingly, the amount of additional information that was exposed by some of the companies has been significant and included card expiration date, full name, billing address, email addresses and even passport information.

Read more on Wandera.

Category: Business SectorExposure

Post navigation

← 1,500 patients impacted by laptop theft
UK: NetNames confirms easily.co.uk whacked by cyber crims →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Copilot AI Bug Could Leak Sensitive Data via Email Prompts
  • FTC Provides Guidance on Updated Safeguards Rule
  • Sentara Health terminates remote employees after realizing they couldn’t be sure who was doing the work.
  • Hackers Break Into Car Sharing App, 8.4 Million Users Affected
  • Cyberattack pushes German napkin company into insolvency
  • WMATA Train Operators Arrested in Health Care Fraud Scheme
  • Washington Post investigating cyberattack on journalists, WSJ reports
  • Resource: State Data Breach Notification Laws – June 2025
  • WestJet investigates cyberattack disrupting internal systems
  • Plastic surgeons often store nude photos of patients with their identity information. When would we call that “negligent?”

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Vermont signs Kids Code into law, faces legal challenges
  • Data Categories and Surveillance Pricing: Ferguson’s Nuanced Approach to Privacy Innovation
  • Anne Wojcicki Wins Bidding for 23andMe
  • Would you — or wouldn’t you?
  • New York passes a bill to prevent AI-fueled disasters
  • Synthetic Data and the Illusion of Privacy: Legal Risks of Using De-Identified AI Training Sets
  • States sue to block the sale of genetic data collected by DNA testing company 23andMe

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.