Brinztech Alert: Polish Travel Giant ITAKA Breached; 2.2M Customer Records (PII, Hashed Passwords) Sold

Dark Web News Analysis

The dark web news reports a major data breach allegedly originating from ITAKA (itaka.pl), one of Poland’s largest and most well-known travel agencies. A database is being offered for sale on a hacker forum.

Key details claimed by the seller:

• Source: ITAKA (itaka.pl), a Polish (EU) company.
• Data Size: 2.2 million rows (customers).
• Data Content: A database table named fos_user.csv. This filename strongly indicates it is the user table from a Symfony-based application (likely the FOSUserBundle), which would contain:
  • Usernames
  • Email Addresses
  • Hashed Passwords and Salts
  • Other PII (Names, Phone Numbers, etc.)
• Data Timestamp: Data spans from 2017 to 2025, indicating the data is extremely recent and the breach likely just occurred or is ongoing.
• Price: $1,200 (USD) via BTC/XMR, with a “one buyer only” claim to create urgency.

This represents a severe compromise of the core user database for a major European travel company.

Key Cybersecurity Insights

This alleged leak signifies a security incident of high severity, with several critical implications:

1. Massive PII & Hashed Password Leak: This is the primary threat. The leak of 2.2 million user records containing emails, names, and hashed passwords is a “goldmine” for attackers. They will:
   • Launch Credential Stuffing Attacks: The hashed passwords (even if salted) will be subjected to mass cracking. The resulting email/password pairs will be used to attack other sites (banks, email, social media) where users have reused their ITAKA password.
   • Launch Hyper-Targeted Phishing: Attackers can send highly convincing, personalized phishing emails (in Polish) to all 2.2M customers. Scams impersonating ITAKA about “a problem with your booking,” “a flight cancellation,” or “a refund” will be extremely effective at stealing credit card details or other PII.
2. “Fresh” Data (Up to 2025) = Active Breach? The claim that the data is current up to 2025 strongly implies this is not an old backup. It suggests the attacker recently compromised the live database and the vulnerability may still be active. This elevates the urgency to critical.
3. Specific Vector (fos_user.csv): The filename is a huge clue. It points to a direct database compromise, likely via a SQL Injection (SQLi) vulnerability or a server misconfiguration that allowed the attacker to dump the entire fos_user table.
4. Critical GDPR Breach (Poland): As ITAKA is a Polish (EU) company, this is a severe violation of the General Data Protection Regulation (GDPR).
   • Mandatory Reporting: ITAKA has 72 hours from the moment they become “aware” of this breach to report it to the Polish Data Protection Authority (UODO – Urząd Ochrony Danych Osobowych).
   • User Notification: A breach of this scale, involving PII and hashed passwords, poses a “high risk to the rights and freedoms” of individuals, mandating that ITAKA notify all 2.2 million affected users “without undue delay.”
   • Fines: The potential fines for this (especially if the vulnerability was known or basic) can be catastrophic, up to 4% of their annual global turnover.

Mitigation Strategies

This requires an immediate, crisis-level response from ITAKA, focusing on containment, customer protection, and regulatory compliance.

1. For ITAKA:
   • IMMEDIATE Investigation & Containment: Activate the Incident Response Plan now. Engage an external DFIR (Digital Forensics) firm to verify the leak and find the root cause (e.g., SQLi, compromised dev credentials, misconfigured server). Patch the vulnerability immediately and hunt for any attacker persistence (backdoors, rogue admin accounts).
   • MANDATORY: Force Password Reset: Immediately force a password reset for all 2.2 million user accounts.
   • MANDATORY: Notify Authorities & Users: Immediately report the breach to the UODO to meet the 72-hour GDPR deadline. Concurrently, prepare and send a clear, transparent notification to all affected customers, warning them of the specific risks (phishing, password reuse).
   • Harden Security:
     • Enforce Multi-Factor Authentication (MFA) for all customer and admin accounts.
     • Audit password storage. If not already using a strong, salted algorithm (like bcrypt or Argon2), upgrade immediately.
2. For Affected Customers (ITAKA Users):
   • Assume your PII and password hash are public.
   • Password Rotation: CRITICALLY, if you reused your ITAKA password on any other site (email, banking, social media), go and change that password immediately.
   • Extreme Phishing Vigilance: Be extremely suspicious of all unsolicited emails, SMS messages, or calls related to “ITAKA,” “your vacation,” “flight bookings,” or “refunds.” NEVER click links or provide payment details. Log in to the official itaka.pl site directly.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? This analysis is based on a threat intelligence report. A recent, large-scale breach of a major EU company carries significant, immediate risks for customers and severe regulatory penalties under GDPR. Brinztech provides cybersecurity services worldwide and does not endorse or guarantee the accuracy of external claims. For any inquiries or to report this post, please email: contact@brinztech.com