This week’s Cyber breach of UK travel trade associations Abta’s systems underlines the vulnerability of all firms in the sector, according to experts.
The breach, reported on Thursday, was said to have put 43,000 members of the public and 650 association at low risk of fraud and identity theft.
Abta appears to have acted quickly after the single breach, via a third party hosting partner, was discovered minimising the potential damage.
Mark Tanzer, Abta chief executive, said: “There is no evidence of data being taken or copied, but we can’t be certain.
“So we’re contacting everybody affected to advise them of the measures they can take to protect against data fraud.”
The breach occurred on February 27 and was discovered two days later on March 1. The authorities are said to have ascertained the online identity of the perpetrator.
Tanzer said: “On being informed we had to find out what had happened, what data had been accessed and whether any data had been removed.
“The first thing we did was to establish how this was done technically and close that off, then carry out a full test of our systems.”
Following Abta releasing details of the breach a host of cyber experts lined up to offer advice and diagnose the problem.
Jake Madders, director of Hyve Managed Hosting, said: “In light of the breach experienced by Abta, all organisations should be fully aware of their hosting provider’s security offering in order to guarantee the safety of sensitive data.
“Real-time network threat awareness and continuous vulnerability testing is crucial to detecting potential intrusion, and any reputable host should offer these services as standard, 24/7.
“Managed tools such as two-factor authentication can even help defend against an attack after it occurs, by ensuring that the passwords stolen are not enough to successfully infiltrate and export user details.”
Andrew Avanessian, vice president at Avecto, said: “Although the risk of fraud following this attack is low as passwords were encrypted, this appears to be another preventable breach.
“Cyber security is simple if you focus on getting the foundations right, and in this case, not for the first time, it was a third party that fell short.
“It’s crucial that all organisations take into account their relationship with third parties when creating cyber security strategies and ensure that every endpoint in the cyber security chain is secure. Suppliers are an important piece of the puzzle and must be treated accordingly.
“It only takes one vulnerable device or server to compromise an entire network, and in turn, impact business reputation and the security of thousands of customers.”
Wavex chief executive Gavin Russell added: “This story is yet another example of the prevalence of cyber-attacks, and serves as a reminder that no business is safe — regardless of their size or the industry they’re in.
“The need for a proactive approach towards cyber-security is essential especially considering the upcoming General Data Protection Regulation (GDPR), which is why it’s so important that businesses have a brand protection strategy in place in addition to proactive vulnerability analysis for their websites.
“These strategies ensure that all employees are well-versed in what to do should an attack take place, and is the most effective way of minimising any technological, financial and reputational damage.”
EU GDPR rules will come into force and threaten firms with €20 million fines or 4% of global revenue, whichever is greater, for any offences related to data breaches.
Lee Munson, security researcher for security and privacy advice and comparison website, Comparitech.com, said:
“While no organisation can claim to be totally immune to the risk of a data breach, and 43,000 leaked records is, alas, a small figure by today’s standards, the timing could not have been worse for Abta, given it was due to host a security seminar the very next day.
“While the CEO was likely telling all those affected by the breach that ABTA ‘takes their security seriously,’ I suspect the CISO and their team were likely running around like chickens.
“Whether that foul was headless or not would very much depend on the level of encryption used by the association – telling customers their passwords were protected with crypto isn’t necessarily that reassuring until we know just what that means exactly.
“Likewise, saying the information has only been accessed only by the thief is not what I would imagine many of those affected would want to hear either, especially as it is their personal information that has been compromised.
“Fortunately, Abta says it will learn from this incident. Given the fact that it was breached through a third party, I suggest it starts with its Access Control and Network Security Policies.
“Meanwhile, forty thousand of its customers should be on the lookout for identity theft and other types of fraud, including phishing emails. They should also consider changing passwords as well as taking other measures to mitigate the post-hack effects they may experience.”