Personal data of around 650 members of the Association of British Travel Agents (ABTA) and 43,000 customers were exposed in a recent cyber attack of the organisation's website.
Email addresses, passwords, and personal details belonging to thousands of UK holidaymakers have been stolen in a cyber attack against ABTA's website. The majority of the 43,000 customers relate to people who have registered on its website or who have submitted claims. The hacker(s) have also gained access to uploaded files supporting a complaint which may reveal more personal information.
The organisation said that its own IT systems were not hacked, but the web server for the website, managed by a third-party developer, was breached on February 27 2017.
They said: "This unfortunately means that some documentation uploaded to the website by ABTA members, as well as some information provided by customers of ABTA members in support of their complaint about an ABTA member, may have been accessed."
The third-party host has fixed the problem.
ABTA said it has already contacted potential victims and set up a dedicated help line along with offering free access to identity theft services from Experian .
"ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed. It is extremely disappointing that our web server, managed for ABTA through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected."
However, it should have been up to ABTA to make sure security precautions were in place. Blaming a third party host or developer does not help the customers who are now at risk of identity fraud, or their employers through shared password attacks. They cannot rely on web designers to be security experts. Ongoing penetration testing and vulnerability scanning would have prevented this attack and it was the responsibility of ABTA to make sure that was in place.