ABTA says passwords were encrypted, mitigating risk, following attack on third party hosting provider
As many as 43,000 people could have had their personal data stolen by cybercriminals following an attack on travel agent industry body ABTA’s website.
The organisation said the attackers exploited a vulnerability in the servers of a third party hosting service and claimed that its own systems remained secure. Using this exploit, documentation and data submitted by customers and agents was accessed.
The attack took place in late February, and stressed that although details such as email addresses and passwords were stolen, the latter were encrypted.
This means the risk of serious identity fraud is considered to be low, but even still ABTA urged holidaymakers to change the login details for any accounts that used the same credentials.
“We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability, said ABTA CEO Mark Tanzer.
“On further, urgent investigation we identified that the incident occurred on the 27 February 2017 and related to some customer information, including complaints about ABTA Members, and to documentation uploaded via abta.com in support of ABTA membership.
“Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability. ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.
“We are not aware of any information being shared beyond the infiltrator.”
ABTA says it will reach out to those it believes may have been affected and has contacted both the police and the Information Commissioner’s Office (ICO).
“I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of ABTA or ABTA Member who may be affected,” added Tanzer. “It is extremely disappointing that our web server, managed for ABTA through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected. I will personally be working with the team to look at what we can learn from this situation.
Two of the most high profile data breaches in recent times concerned Yahoo and TalkTalk, with damaging consequences for both companies’ reputation and finances. Experts have suggested two-factor authentication could mitigate the threat but said it was worrying that such breaches continue to happen.
“Even the most trusted and respected household names are repeatedly failing at even the most basic security measures, said Chris Hodson, EMEA CISO at Zscaler.
“With personally identifiable information being compromised, rather than prioritised when it comes to protection, we have to question where the gaps in corporate security lie and understand how responsibility should be defined so that businesses can start to fill them.
“Irrespective of where data resides, businesses cannot outsource responsibility. So, as more third party cloud services are adopted, this management of the supply chain must be considered. Especially as the EU GDPR age promises excruciating fines for those who cannot comply.
“For consumers concerned in the wake of this incident, it will be critical to reconsider passwords. Having a back-up store of various different and complex passwords will mean that they won’t have to rely on corporate enterprise security in the short-term. In the long-term the onus must be flipped back to businesses who are responsible for stress testing their systems, working with third parties and ensuring that nothing slips through the net.”
How well do you know network security? Try our quiz and find out!