tashka2000 - Fotolia

UK holidaymakers’ data breach highlights need to be proactive

Security experts say the data breach at travel industry association Abta underlines that no organisation is immune from cyber attack and that data holders and consumers should be more proactive about data protection

A data breach at the Association of British Travel Agents (Abta) affecting around 43,000 holiday makers underlines the need for consumers and organisations holding data to be more proactive, according to experts.

News of the breach comes just days after the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) published a joint report outlining the “significant” cyber threat to UK business.

Abta said on 27 February 2017 hackers accessed around 1,000 files containing personal identity information of individuals who have made a complaint about an Abta-registered travel agent.

The attackers may also have accessed the encrypted passwords used by Abta members and customers of Abta members to access the association’s website.

The hackers are believed to have exploited a vulnerability to gain access to a web server supporting abta.com that is managed for Abta through a third-party web developer and hosting company.

The association is contacting those affected by the breach and has set up a dedicated helpline for people with concerns. It has also notified the Information Commissioner’s Office (ICO) and the police.

Abta chief executive Mark Tanzer said in a statement that it is “extremely disappointing that our web server, managed for Abta through a third-party web developer and hosting company, was compromised, and we are taking every step we can to help those affected”.

He said Abta immediately notified the third-party suppliers of the abta.com website, with the suppliers immediately fixing the vulnerability. Abta also engaged security risk consultants to assess the potential extent of the incident.

“We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of Abta members and Abta members who have the potential to be affected,” said Tanzer.  

Abta said most of those affected had registered with email addresses and encrypted passwords or had filled in an online form with basic contact details and, as a result, there was “a very low exposure risk to identity theft or online fraud” with this kind of data.

Read more about two-factor authentication

However, the association advised customers and Abta members registered on the site to change their passwords as a “precautionary measure” and monitor their bank accounts, social media and email accounts.

The association is also providing any Abta members who may have been affected with free access to a credit monitoring and identity theft protection service.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge has warned that encryption will hardly make a difference to the incident.

“Hashed passwords can be quite easily bruteforced, and taking into consideration modern computing capacities – including elastic cloud infrastructure – attackers will probably get the majority of passwords in plaintext without much effort.

“Those affected should urgently change their passwords if they were re-using them for different accounts, as well as secret questions for password recovery if stolen data contained answers to them. They should also get ready to receive well-prepared spear-phishing that will rely on the information compromised in the incident,” he said.

Slipping through the back door

With breaches like this becoming increasingly common, it is vital that both consumers and organisations take a proactive approach when it comes to security, said Rob Norris, ‎vice-president and head of enterprise and cyber security for Europe at Fujitsu.

“Organisations need to think about what data they need to protect and focus on the integration of threat intelligence and other information sources, to provide the context necessary to deal with today’s advanced cyber threats,” he said.

“They also need to be astute as to what third-party organisations they work with and ensure they don’t pose a security threat, as hackers will look for back doors into an organisation through suppliers that might not have as tight security precautions.”

Norris said consumers, for their part, should ensure they use different passwords for different applications and are aware of the security risks when using payment information.

“Consumers should consider two-factor authentication alternatives where possible, so passwords are rendered useless on their own, such as facial, voice, iris, palm and fingerprint biometrics for an additional layer of protection.

“In an era where data is becoming the new currency, all personal data needs to be properly protected. As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cyber security not to be their number one priority,” he said.

All organisations a target, says expert

Matthias Maier, security evangelist at operational intelligence firm Splunk, said the Abta breach is yet another reminder that organisations of all types should expect to be targeted by attackers.

“In such a threatening cyber landscape, organisations must have the right response capabilities and processes in place to stifle the impact of malicious and highly destructive assaults.

“When an organisation finds out that its infrastructure has been breached by criminal activity, its first step should be to understand its scale and scope through the machine data it should have available in its organisation,” he said.

This is increasingly important, said Maier, due to the need for all companies handling the personal data of European Union (EU) citizens to comply with the General Data Protection Regulation (GDPR) that will require mandatory breach notification from 25 May 2018.

“It looks like Abta has done its homework and ensured that the third party-provider that hosts its website has been able to remediate the vulnerability and identify what has happened quickly. As a result, Abta has been able to alert affected customers and the relevant authorities in a timely fashion with a view to mitigating its impact,” he said.

“As we see the number of cyber attacks and breaches grow, having the capability to understand the scale of a breach by analysing all machine-generated data from web applications will be key, as will having proper processes and crisis plans in place to respond effectively.”

Read more on Privacy and data protection