A hack attack on the Association of British Travel Agents (ABTA) has exposed the personal details of thousands of consumers and hundreds of tour operators and travel agents.
Data for up to 650 ABTA members and up to 43,000 consumers was exposed by the breach, which dates from late last month.
In a statement on Thursday. The travel industry organisation blamed a successful attack against its hosting provider. It sought to downplay concerns by saying the problem had already been contained.
We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability. The web server is managed for ABTA through a third party web developer and hosting company. The infiltrator exploited that vulnerability to access data provided by some customers of ABTA Members and by ABTA Members themselves via the website.
On further, urgent investigation we identified that the incident occurred on the 27 February 2017 and related to some customer information, including complaints about ABTA Members, and to documentation uploaded via abta.com in support of ABTA membership. Although encrypted, passwords used by ABTA Members and customers of ABTA Members to access our website may also have been accessed.
The vulnerability abused by hackers has been closed. ABTA has also called in third-party incident response consultants to access the potential impact of the incident.
ABTA chief exec Mark Tanzer apologised for the incident and the worry it may have caused. The organisation is in the process of notifying affected parties, mostly consumers who have filed complaints against a tour operator through ABTA.
Most of the potentially compromised records contained only email addresses and encrypted passwords. But approximately 1,000 compromised files contain more sensitive information of consumer complainants including names, addresses and phone numbers.
Pete Turner, consumer security expert at security software firm Avast, added: "It’s bad enough if you have to complain about your holiday to ABTA but then to potentially have your personal information compromised will be of concern to many people.
"While it is good that ABTA has already taken steps to not only notify the Information Commissioner and police, but also set up a helpline for people to call if they are concerned, the fact is that consumers can no longer trust companies to keep their data safe. The regular news stories hitting the headlines of data breaches is example of this," he added.
Jes Breslaw, director of strategy, EMEA at data virtualisation firm Delphix, added: "Time and time again we have seen that even the most basic breach of personal identifiable information puts consumers at risk. Names, addresses and contact information all hold money-making potential for opportunistic cyber criminals on the dark web.
"The latest ABTA breach once again reinforces why organisations need to prioritise the development of multi-layered security measures," he added. ®