The personal and financial data of 4.5 million visitors to the Alhambra and almost 1,000 travel agencies have been uncovered by a fault in the official ticket booking website, which has been detected by the La9 group, linked to Anonymous, and affected the website since mid-2017.
The security hole discovered allowed the web to be vulnerable to three different modes of SQL injection attacks. Visitor data displayed include ID, telephone number, email, postal address and age, among others. As for the affected travel agencies, information related to current account numbers, IBAN and passwords for access to the system in plain text has been filtered.
The technological supplier of the ticket reservation system, a temporary joint venture, has published a press release confirming the attack and announcing that it will be brought to the attention of the law enforcement in Spain and the Spanish Data Protection Agency. After verifying it, the failure in the web of the Alhambra has been rectified.