A cyber-attack on the website of travel trade body ABTA may have affected about 43,000 people and businesses, the organisation has today admitted.
Many of those affected are holidaymakers who've personally used the site to make a complaint about an ABTA-registered travel company.
However, some firms that are members of ABTA have had their own data accessed – ABTA hasn't told us which companies are in this category but says their customers won't be impacted.
While most of the stolen data includes emails and encrypted passwords, the organisation said around 1,000 files that may include "personal identity information" of holidaymakers could have been compromised in the attack, which happened on 27 February.
ABTA chief executive Mark Tanzer has apologised for the "anxiety and disruption" caused to its members and customers, stating: "We are not aware of any information being shared beyond the infiltrator."
The organisation has also referred the matter to the police and to data watchdog the Information Commissioner's Office.
The 43,000 affected accounts are a mixture of ABTA members (travel companies) and their customers:
- 29,000 who've recently registered on ABTA (as member businesses or as customers making a complaint) may have had their email addresses and encrypted passwords accessed.
- 13,000 customers who've complained about an ABTA member on the site without fully registering may have had their email addresses taken.
- 1,000 customers who've uploaded documents in support of their complaints against ABTA members since 11 January 2017 may have had those documents accessed. This group is considered to be the most at risk from identity fraud.
- 650 ABTA members may have had their own documentation accessed – but this documentation relates to their membership of ABTA and so the firms' customers won't be affected by this.
I've registered on the ABTA website – what should I do?
ABTA says it's emailing members of the public who it believes may have had their data accessed in the attack. These people will be offered free access to credit rating agency Experian's identity theft protection service, which would alert them if their information is shared online.
They will also be advised to change their password immediately – and if they use the same or a similar password for other websites, they're encouraged to change those too.
If you're contacted you should also remain vigilant regarding online and identity fraud: actively monitor your bank accounts and any social media and email accounts you have.
ABTA told us that anyone who's used its site but not been contacted about the breach does not need to change their password – though you are, of course, free to do so.
How did this happen?
ABTA says that while its own IT system was and is secure, there was a vulnerability to abta.com's web server – ie, the system that delivers online content – which is managed by a third-party web developer and hosting company.
This vulnerability resulted in "unauthorised access" to ABTA members' and holidaymakers' data on 27 February. However that vulnerability has now been fixed.
What does ABTA say?
Tanzer said: "It is extremely disappointing that our web server, managed for ABTA through a third-party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.
"I will personally be working with the team to look at what we can learn from this situation."