16 Mar

Data security incident March 2017

Statement from ABTA CEO, Mark Tanzer, relating to Data Security Incident (March 2017)

We recently became aware of unauthorised access to the web server supporting abta.com by an external infiltrator exploiting a vulnerability. The web server is managed for ABTA through a third party web developer and hosting company. The infiltrator exploited that vulnerability to access data provided by some customers of ABTA Members and by ABTA Members themselves via the website.

On further, urgent investigation we identified that the incident occurred on the 27 February 2017 and related to some customer information, including complaints about ABTA Members, and to documentation uploaded via abta.com in support of ABTA membership. Although encrypted, passwords used by ABTA Members and customers of ABTA Members to access our website may also have been accessed.

Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the abta.com website who immediately fixed the vulnerability. ABTA immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.

We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of ABTA Members and ABTA Members who have the potential to be affected. We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud. We have also alerted the relevant authorities, including the Information Commissioner and the Police.

I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of ABTA or ABTA Member who may be affected. It is extremely disappointing that our web server, managed for ABTA through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected. I will personally be working with the team to look at what we can learn from this situation.

Outlined below, we have answered further questions, which include some guidance for customers of ABTA and ABTA Members.