The Association of British Travel Agents (ABTA) has
suffered a major data breach, affecting thousands of customers.
As some news providers have observed, it took the UK’s largest holiday
and travel association 16 days to alert customers of the data breach, which it
said took place on February 27th.
The breach was subsequently discovered on March 1st
but not announced until the 16th.
Cybercriminals managed to expose a flaw in ABTA’s
web server, which gave them access to the website and the personal
information of as many as 43,000 customers, including a possible 650 ABTA
members.
In a statement, Mark Tanzer, ABTA’s CEO, said: “Although
[our] own IT systems remained secure, there was a vulnerability to the web
server for abta.com, which is managed for ABTA through a third-party web developer
and hosting company.”
The majority of customers who were impacted by the
breach were those who had registered on the website or filled in an online
form.
Some of the personal details came from around 1,000
people who had submitted details of their holiday complaints, revealing their
emails and contact details.
Following the detection of the attack, ABTA
urgently notified the third-party suppliers of the website who “immediately
fixed the vulnerability”.
In the meantime, the travel body suggested customers
should “remain vigilant regarding online and identity fraud: actively monitor
your bank accounts and any social media and email accounts”.
ABTA is “taking every step … to help those
affected”, with Tanzer apologizing and admitting that it was “extremely
disappointing” that the web server was compromised.
Harsher penalties will be in store for companies
who don’t comply with new security regulations imposed by the General Data Protection Regulation (GDPR), which comes into
play in May 2018.
New GDPR regulations include rules around notification of data breach, consent and
mandatory privacy impact assessments.
Companies that do not abide by the
rules will face heavy fines.