See also: Abta insists ‘very low risk’ of identity theft or fraud
Abta has suffered a cyber attack and the theft of both members’ and customers’ data.
The association revealed the breach this morning, saying it was contacting the members and customers affected.
Abta said the breach occurred at the end of February, with the data of 43,000 individuals and up to 650 Abta members compromised.
In a lengthy statement, Abta chief executive Mark Tanzer said: “We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability.
“The web server is managed for ABTA through a third party web developer and hosting company. The infiltrator exploited that vulnerability to access data provided by some customers of ABTA members and by ABTA members themselves via the website.
“On further, urgent investigation we identified that the incident occurred on the 27th February 2017 and related to some customer information, including complaints about ABTA members, and to documentation uploaded via abta.com in support of ABTA membership.
“Although encrypted, passwords used by ABTA Members and customers of ABTA Members to access our website may also have been accessed.
“Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability.
“ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.
“We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of ABTA members and ABTA members who have the potential to be affected.
“We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud.
“We have also alerted the relevant authorities, including the Information Commissioner and the Police.”
Tanzer said: “I would personally like to apologise for the anxiety and concern this incident may cause to any customer of ABTA or ABTA member who may be affected.
“It is extremely disappointing that our web server, managed for ABTA through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.
“I will personally be working with the team to look at what we can learn from this situation.”
Abta said in a statement: “The unauthorised access may have affected approximately 43,000 individuals. Around 1,000 of these are files that may include personal identity information of customers of ABTA Members (in support of their complaint about an ABTA Member), uploaded since 11th January 2017; around 650 may include personal identity information of ABTA Members.
“The vast majority of the 43,000 relate to people who have registered on abta.com, with email addresses and encrypted passwords, or have filled in an online form with basic contact details which are types of data at a very low exposure risk to identity theft or online fraud.
Specifically, the four categories of data that may have been accessed are:
• The majority of the data related to email addresses and passwords for any ABTA Member or customer of an ABTA Member that had registered on abta.com. These passwords were encrypted – which means to the human eye it will look like a jumble of characters – and so there is a very low exposure risk of identity theft or online fraud; however as a precautionary measure we are recommending that ABTA Members and affected customers of ABTA Members change their passwords.
• Contact details of customers of ABTA Members who have used the website to register a complaint about an ABTA Member.
• A smaller volume of data uploaded via the website by members of the public who had submitted documentation to support a complaint about an ABTA Member since 11th January 2017.
• A smaller volume of data uploaded via the website by ABTA Members using the ‘self-service’ facility on abta.com, where ABTA Members have uploaded documentation in support of their membership. The vulnerability that was exploited by the infiltrator only enabled access to uploaded supporting documentation, and did not affect other IT systems or forms that had been completed online.”
Andrew Avanessian, vice president at global security software company Avecto
said he believed the attack to be preventable, he said:
“Cyber security is simple if you focus on getting the foundations right, and
in this case, not for the first time, it was a third party that fell short.
“It’s crucial that all organisations take into account their relationship
with third parties when creating cyber security strategies and ensure that every
endpoint in the cyber security chain is secure. Suppliers are an important piece
of the puzzle and must be treated accordingly.
“It only takes one vulnerable device or server to compromise an entire
network, and in turn, impact business reputation and the security of thousands
of customers.”
Jake Madders, director at Hyve Managed Hosting warned organisations should be aware of third-party provider’s security when sensitive data was involved, he said:
“Real-time network threat awareness and continuous vulnerability testing is crucial to detecting potential intrusion, and any reputable host should offer these services as standard, 24/7.
Managed tools such as two-factor authentication can even help defend against an attack after it occurs, by ensuring that the passwords stolen are not enough to successfully infiltrate and export user details.”
Abta Members can call 0203 758 8779 in relation to the incident
See also: Abta insists ‘very low risk’ of identity theft or fraud