The Association of British Travel Agents (ABTA) has come forward and disclosed a major data breach, with as many as 43,000 people at possible risk from the huge cyber attack.
The attack that breached the website resulted in the hackers gaining access to around 1,000 files containing information that could include encrypted passwords and email addresses of ABTA members and customers registered on the site.
Files containing the contact details of customers of travel agencies registered with ABTA who have posted complaints via the breached website are also said to be possibly affected. In addition to this, data uploaded by ABTA members regarding membership could also be accessed within the files.
In a statement, ABTA said:
The unauthorised access may have affected approximately 43,000 individuals. Around 1,000 of these are files that may include personal identity information of customers of ABTA Members (in support of their complaint about an ABTA Member), uploaded since 11 January 2017; around 650 may include personal identity information of ABTA Members. The vast majority of the 43,000 relate to people who have registered on abta.com, with email addresses and encrypted passwords, or have filled in an online form with basic contact details which are types of data at a very low exposure risk to identity theft or online fraud.
The organisation has laid on a dedicated helpline for those who are concerned, and they are currently working to reach those who were affected.
The concerning factor now is in regard to where or most importantly when these details might resurface, as in similar scenarios information has been released years after it was originally compromised.
This story has emerged the day after thousands of staff from NHS Wales had personal data stolen as part of a cyber-attack that hacked the network of a third-party contractor.
Experts have been quick to comment on the breach, almost unanimously agreeing that hackers are going to strike where data is plentiful and not properly secured. Painting a worrying picture of the current threat landscape, Dr Anton Grashion from Cylance said:
“This type of cyber attack is going to continue to occur, where personally identifiable information is stolen. This data can be used by cyber criminals to apply for loans and credit cards, and the email addresses are often used to send spear phishing emails as part of other attempts at cyber crime.
“Until more businesses stop depending on outdated antivirus technology to protect their sensitive data and look to the newer approaches, such as those deploying artificial intelligence to ferret out and prevent the brand-new types of malware from running, more and more ordinary citizens are going to be affected by attacks such as this one.”
The attacks on ABTA and NHS Wales has brought to the forefront the issue around third-party vendors. Many businesses bring thir-parties on to cut costs and outsource specific business process. Dave Hartley at MWR InfoSecurity, argues that although third-parties might bnring cost savings, they may bring something more malicious too.
“The data breach reported by ABTA today is a powerful example of the dangers of divesting security responsibilities to third party developers and hosting providers,” Hartley said.
“Attackers will always find the weakest link and traverse the path of least resistance, and all organisations need to be aware that any one of their service providers can expose them to the risk of breach. It doesn’t matter if a company’s own house is in order – they need to make sure that all of their partners hold the same standards of protecting them and their data.”
In light of the ABTA breach, businesses have been urged to not only support and protect their own networks, but also offer support to their partners. However, as Absolute’s Richard Henderson states, that’s easier said than done.
“As this threat rises, businesses are under growing pressure to not only support and protect their own network, but also that of their partners’ – the financial and reputational risks are simply too high not to. Unsurprisingly, this is causing multiple headaches for IT departments, which will ultimately turn to migraines once GDPR is enforced next year.
“Indeed, as the attack surface continues to expand with the growing number of partners and endpoints, it’s crucial that businesses take responsibility when protecting their critical assets and have full insight into who holds their data and where.”
What is crucial for businesses to remember, however, that even if the breach has hit a third-party vendor – full ownership of the data breach must be taken.