The Association of British Travel Agents (ABTA) has suffered a major data breach, affecting thousands of customers.
As some news providers have observed, it took the UK’s largest holiday and travel association 16 days to alert customers of the data breach, which it said took place on February 27th.
The breach was subsequently discovered on March 1st but not announced until the 16th.
Cybercriminals managed to expose a flaw in ABTA’s web server, which gave them access to the website and the personal information of as many as 43,000 customers, including a possible 650 ABTA members.
In a statement, Mark Tanzer, ABTA’s CEO, said: “Although [our] own IT systems remained secure, there was a vulnerability to the web server for abta.com, which is managed for ABTA through a third-party web developer and hosting company.”
The majority of customers who were impacted by the breach were those who had registered on the website or filled in an online form.
Some of the personal details came from around 1,000 people who had submitted details of their holiday complaints, revealing their emails and contact details.
Following the detection of the attack, ABTA urgently notified the third-party suppliers of the website who “immediately fixed the vulnerability”.
In the meantime, the travel body suggested customers should “remain vigilant regarding online and identity fraud: actively monitor your bank accounts and any social media and email accounts”.
ABTA is “taking every step ... to help those affected”, with Tanzer apologizing and admitting that it was “extremely disappointing” that the web server was compromised.
Harsher penalties will be in store for companies who don’t comply with new security regulations imposed by the General Data Protection Regulation (GDPR), which comes into play in May 2018.
New GDPR regulations include rules around notification of data breach, consent and mandatory privacy impact assessments.
Companies that do not abide by the rules will face heavy fines.