News has surfaced today that a cyber-attack on the website of the Association of British Travel Agents (ABTA) could potentially have impacted as many as 43,000 people.
As explained in a statement on the company’s website, it is believed that those behind the attack (which occurred on 27 February) gained access to about 1000 files which may include personal identity information on customers of ABTA Members, the majority of which are email addresses and encrypted passwords, relating to complaints made about ABTA staff.
ABTA CEO, Mark Tanzer, said:
“We recently became aware of unauthorized access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability. The web server is managed for ABTA through a third party web developer and hosting company. The infiltrator exploited that vulnerability to access data provided by some customers of ABTA Members and by ABTA Members themselves via the website.
“We immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability. ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.”
ABTA said it is not aware of any information being shared beyond the infiltrator, and the firm is actively monitoring the situation. It pointed out that there was "a very low exposure risk to identity theft or online fraud" with the kind of data that has been accessed. However, as a precautionary measure, ABTA is taking steps to warn both customers of ABTA Members and ABTA Members who could potentially be impacted.
“We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud. We have also alerted the relevant authorities, including the Information Commissioner and the Police”, Tanzer said.
In a brief statement to Infosecurity Magazine, an ICO spokesperson said: "We are aware of this incident and will be making enquiries."
ABTA advised anyone who has registered with abta.com to immediately change their password as a precaution, and should that password be used for any other services or accounts, to change it for those too.
“You should remain vigilant regarding online and identity fraud,” ABTA also said. “Actively monitor your bank accounts and any social media or email accounts you may have. We are also making available free of charge an identity theft protection service to members of the public who had registered on abta.com and may have been affected.”
Commenting on the incident, Jes Breslaw, director of strategy, EMEA at Delphix said that time and time again we have seen that even the most basic breach of personal identifiable information puts consumers at risk.
“Names, addresses and contact information all hold money-making potential for opportunistic cyber-criminals on the dark web,” she explained. “The latest ABTA breach once again reinforces why organizations need to prioritize the development of multi-layered security measures.”
David Mount, director of security solutions consulting EMEA, Micro Focus, added:
“As with most data breaches, news of this latest hack from ABTA is likely to raise questions around how large organizations are protecting our personal data and keeping passwords safe. In this case, the passwords of those affected are encrypted, meaning they will be difficult for an attacker to decipher, but that’s not always the case.
“In future, we need a more effective way to securely prove who we are without relying solely on passwords as they are no longer useful as a single factor of authentication. The answer could be biometrics, tokens, smartphones, behavioral indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured”, he argued.