The organisation said today it had become aware of “unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability”.
The web server is managed for Abta through a third-party web developer and hosting company.
“The infiltrator exploited that vulnerability to access data provided by some customers of Abta members and by Abta members themselves via the website”, said chief executive Mark Tanzer in a statement.
The incident occurred on February 27 and related to some customer information, including complaints about Abta members, and to documentation uploaded via abta.com in support of Abta membership. Abta discovered the security breach two days later on March 1.
The hack took place the day before the association ran its own event on data security - the "Data Protection in Travel Seminar" took place on February 28 with Fieldfisher at its London office, and offered tips on how to "take stock of your existing level of data protection compliance".
Although encrypted, passwords used by Abta members and customers of Abta members to access Abta’s website may also have been accessed.
The unauthorised access may have affected approximately 43,000 individuals.
Around 1,000 of these are files that may include personal identity information of customers of Abta members (in support of their complaint about an Abta member), uploaded since January 11 2017; around 650 may include personal identity information of Abta members.
The vast majority of the 43,000 relate to people who have registered on abta.com, with email addresses and encrypted passwords, or have filled in an online form with basic contact details which are types of data at a very low exposure risk to identity theft or online fraud.
Tanzer said: “Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability.
“Abta immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.
“We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of Abta members and Abta members who have the potential to be affected.
“We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud. We have also alerted the relevant authorities, including the Information Commissioner and the police.
“I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of Abta or Abta member who may be affected.
“It is extremely disappointing that our web server, managed for Abta through a third-party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.
“I will personally be working with the team to look at what we can learn from this situation.”
Tanzer said that the Metropolitan Police was now investigating the incident.
"The police have got an identity but I can’t comment further," he added. "If somebody gets in touch with us they have to establish an identity. I imagine the police will be checking the contact information and take the investigation from there."
Abta members concerned about the data security breach can call 020 3758 8779.
“Unfortunately, the travel sector has become a big target for hackers (of all types).
"This is due to the industry having large databases holding personal and financial information. In this case it would appear that Abta has fallen victim to a lack of security. It is vital that all businesses have a data protection strategy in place to try and prevent attacks like this.
"The figure 43,000 may seem to be a big data breach but it is a small one by comparison to many others. However, that will be of no consolation to the victims.
"It is important that travel business take a few basic steps. In addition to steps to prevent external access, we would recommend that all customers encrypt all data not just passwords. Access should be via Privileged Password Protection.
Finally, it should be noted that the EU’s General Data Protection Regulations (GDPR) come into effect in May 2018 - as I reported in TTG in January; if this law had been applicable now, Abta would have been liable to a multi-million pound fine.”
"To date, there is very little take-up in the travel sector regarding the GDPR - and few companies have appointed a data protection manager, despite the recommendation by the Information Commissioner's Office.
Richard Bristow F.Inst.T.T. is sales director at Tamite Secure IT