About 43,000 individuals were potentially affected when the organisation saw “unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability”.
Speaking in a session on cyber security and the protection of personal data at the Abta Travel Convention, the organisation’s chief executive Mark Tanzer commented on the breach: “I hadn’t quite realised how responsible I was for all of our third party relationships – not just in the IT area but commercial relationships.
“The scope of data protection was a lot bigger than I ever thought. I thought it stopped at the four walls of our office, but it goes much further than that.
“And understanding the nature of the data we had was quite difficult. Did we have any medical records or passport details? We couldn’t just go into one system and look it up. People’s records were scattered between different systems.
“A dress rehearsal would have been useful because we would have been able to see what we actually had.
“We went through it all. It was a crisis management situation. It was a major, expensive exercise.”
Tanzer gave a number of lessons to travel businesses:
- “Have insurance.”
- “The best way not to lose data is not to have it. Be absolutely ruthless about why you have various data. We found the people who were most angry were the ones wondering why we even
had their data. Clear out data that isn’t current and you don’t have the licence to use.”
- “Typing up your contracts and getting visibility as to what our third party suppliers are doing is also very important.”
- “Penetration test your own systems.”
- “You’ve got to demonstrate to the Information Commissioner that you’ve got data protection training in place, all this helps mitigate the penalty they may impose on you.”
- “We will have an annual data report to the board detailing what measures we are taking.”