Abta cyberattack: 43,000 UK holidaymakers and travel agents at risk of identity fraud

The UK's largest travel trade organisation, the Association of British Travel Agents (ABTA) has experienced a cyberattack on its website that puts 43,000 holidaymakers and travel agents at risk of identity theft.

Abta governs the UK's travel agents and is a key port of call for consumers who want to make a complaint about an Abta-registered travel agent. People who want to make a complaint typically have to provide their personal contact details as well as their email addresses.

The travel trade organisation says that about 1,000 files were accessed by hackers on 27 February. The data accessed affects both Abta member travel agents as well as consumer customers who used their services, and 650 files could include the personal identity information of Abta members. Abta discovered the security breach on 1 March.

The data accessed includes: all data uploaded by consumers to support complaints made about Abta members since 11 January 2017; email addresses and encrypted passwords of consumers and travel agents; contact details of some customers who used the website to register a complaint about an Abta travel agent; and some of the data uploaded by Abta members to support their memberships.

The travel trade organisation is now contacting all affected consumers and Abta members, and anyone who is concerned can call the dedicated phoneline on 020 3758 8779.

Ironically, the data breach took place one day before the association ran a "Data Protection in Travel Seminar" on February 28 in London, which offered tips on how to "take stock of your existing level of data protection compliance".

Travel agents and consumers should call dedicated phoneline

"Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability. Abta immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed," Abta's chief executive Mark Tanzer said in a statement.

"I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of Abta or Abta member who may be affected. It is extremely disappointing that our web server, managed for Abta through a third-party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.

"I will personally be working with the team to look at what we can learn from this situation."

Abta says that the London Metropolitan Police is now investigating the cyberattack and the Information Commissioner has been made aware of the situation. And according to comments Tanzer made to Travel Trade Gazette, it is believed that the police might already have a suspect in mind.

"Time and time again we have seen that even the most basic breach of personal identifiable information puts consumers at risk. Names, addresses and contact information all hold money-making potential for opportunistic cyber criminals on the dark web," Delphix's director of strategy for EMEA Jes Breslaw told IBTimes UK.

"The latest ABTA breach once again reinforces why organisations need to prioritise the development of multi-layered security measures. The challenge has always been that more robust security measures, such as data masking, are expensive and complex tasks that organisations have avoided. Yet encryption alone is not enough.

"With the EU's General Data Protection Regulation (GDPR) quickly coming down the line then protecting personal identifiable information will become an imperative. Otherwise organisations could risk fines of up to €20m or 4% of annual turnover worldwide. The Abta provides an important service and this puts into question could they even survive fines in a GDPR era?"