Skip to main content

Data Breach at NYC "Hop-on, Hop-off" Tour Company -- 110,000 credit card numbers stolen

Since March 1, 2010, privacy professionals have been waiting for a data breach that could bring an enforcement action under 201 CMR 17.00, the Massachusetts privacy regulations.   I just spoke with Paul Roberts, editor of, a blog that posted an entry yesterday regarding a breach that could do just that.   Twin America LLC, the parent company of bus tour company CitySights NY, says the credit card details of 110,000 customers were stolen in a Web based attack and suggests it wasn't following Payment Card Industry guidelines for storing card data.

Roberts blogged yesterday that the CitySights NY tour company has notified certain state attorneys general that the financial data of more than 100,000 customers was stolen when a SQL injection attack hit one of its Web servers.  According to the Massachusetts Attorney General's office, among those whose data were exposed are 1,850 Massachusetts residents.   This led Roberts to ask, "Could this be the test case for enforcement of the state's nine-month-old data privacy law?" The breach exposed the names, addresses and full credit card account information including card verification data.

The breach came to light when Roberts reported on a breach notification letter from Twin America published on the New Hampshire Attorney General's website.  The letter was dated December 9, 2010 for a breach that reportedly occurred in September.  Although the letter states notes, specifically, that the compromised database did not contain "Social Security numbers, drivers' license or other state-issued identification or other personal information," for purposes of compliance with Massachusetts law, including 201 CMR 17.00, this recitation of data elements leaves out the most important element -- credit card or financial account information.  A single data point combined with the persons first name (or first initial) and last name is sufficient to require compliance with 201 CMR 17.00 by a holder of such information, "wherever located."

Business has been looking for clarity in how some of the provisions of 93H and 201 CMR 17.00 -- particularly the civil penalties -- will be enforced by the Massachusetts Attorney General.  This may be the test case.   Stay tuned.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.