ABTA, the travel trade body which represents travel agents and tour operators in the UK, has alerted users that it has suffered a data breach; 43,000 of it's customers are believed to be affected.
ABTA represents travel agents and tour operators in the UK. It gives advice and guidance to holidaymakers, sets standards for travel firms and promotes responsible tourism in the UK and abroad.
The data breach happened on the 27th of February. ABTA is contacting those affected by the hack and has a dedicated helpline which those concerned can call. It has also alerted the police and the Information Commissioner's Office (ICO).
Roughly 1,000 files were accessed, and may include personally identifiable information (PII) of individuals who have made a complaint about an ABTA-registered travel agent. This is one of ABTA's public-facing responsibilities.
An email from ABTA shared with SC Media UK says: “We are not aware of any information being shared beyond the infiltrator, and we are actively monitoring the situation.”
Alex Mathews, lead security evangelist at Positive Technologies, says:“If the compromised web application was being hosted on the same outsourced server as the illegally accessed database, this is not best practice, the two should be segregated. This is because any breach of the application would likely provide the attacker with access to administrative levels of the database. The focus will now switch to post breach analysis, investigating the compromised servers to ascertain how long the attacker had access to the system, how the breach happened and what can be done to minimise risk. However, this is obviously no comfort to people who have had their data stolen, who should change passwords across the board, everything from email to social networks.”
Other data stolen includes: Email addresses and encrypted passwords of ABTA customers and members registered on ABTA's website; contact details of customers of ABTA members who have used the website to register a complaint; data uploaded by ABTA members in support of their membership ie travel agents who wish to ABTA accredited.
ABTA chief executive officer Mark Tanzer said he would "personally like to apologise for the anxiety and concern" caused to ABTA customers and members.
Tanzer added: “It is extremely disappointing that our web server, managed for ABTA through a third party web developer and hosting company, was compromised and we are taking every step we can to help those affected."
ABTA said the "vast majority" of passwords were encrypted, hence there is "a very low exposure risk to identity theft or online fraud".
Rob Norris, VP head of enterprise & cyber security EMEIA at Fujitsu told SC: “Organisations need to think about what data they need to protect and focus on the integration of threat intelligence and other information sources, to provide the context necessary to deal with today's advanced cyber-threats. They also need to be astute as to what third party organisations they work with and ensure they don't pose a security threat, as hackers will look for back doors into an organisation through suppliers that might not have as tight security precautions.”
ABTA advised its customers and members registered on the site to change their passwords as a "precautionary measure".
ABTA said those who had uploaded contact details or documentation on the website should actively monitor their bank accounts, social media and email accounts, and "remain vigilant".
It has also offered people who may be affected a free-of-charge identity theft protection service.
Matthias Maier, security evangelist at Splunk told SC: It looks like ABTA has done its homework and ensured that the third party-provider that hosts its website has been able to remediate the vulnerability and identify what has happened quickly. As a result, ABTA has been able to alert affected customers and the relevant authorities in a timely fashion with a view to mitigating its impact. As we see the number of cyber-attacks and breaches grow, having the capability to understand the scale of a breach by analysing all machine generated data from web applications will be key, as will having proper processes and crisis plans in place to respond effectively.”