A cyber attack on the website of the UK’s largest travel trade agency, ABTA, has affected 43,000 people including 1000 holidaymakers. The Association of British Travel Agents (ABTA) claimed hackers had broken through the web servers that host the organisation’s website.
Around 1,000 files are said to have been accessed by the hack which include personal identity data of people who have made a complaint about an ABTA-registered travel agent. Data relating to ABTA members including tour operators was also infiltrated and stolen. ABTA have stated the vast majority of the 43,000 people who have been affected had registered on abta.com, with email addresses and encrypted passwords.
ABTA Chief Executive, Mark Tanzer, said “I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of ABTA or ABTA member who may be affected.
Tanzer has said ABTA are currently unaware of hackers passing the stolen data to outside sources. They have issued a warning to both customers of ABTA members and ABTA members who have the potential to be affected. “We are today contacting these people and providing them with information and guidance to help keep them safe from identity theft or online fraud,” he said.
ABTA are reassuring those affected that there is “a very low exposure risk to identity theft or online fraud” with the data stole, the travel organisation has alerted the data watchdog, the information commissioner, and the police.
The breach on ABTA is reminder that cyber criminals do not discriminate with their targets and that all organisations large and small in all industries are vulnerable to cyber attacks. IT security experts from Zscaler, Splunk, Micro Focus, Fujitsu, Delphix, Comparitech, Cylance, NuData, Kaspersky Lab and SailPoint offer their thoughts on the cyberattack against ABTA:
Kevin Cunningham, President & Founder at SailPoint:
“Being exposed as unprepared and ill-equipped to minimise the damage associated with a breach is a fear of any organisation. Today’s organisations house vastly more sensitive data, and so everyone from the executive level down needs to ensure there is a collaborative effort from internal staff to protect that sensitive information and ultimately, the health and longevity of the company.
“In today’s world, it’s a matter of when, not if, a data breach will happen. So the most important factors are prevention, education, and rapid response. When a breach does happen, it’s important to quickly find out how and why it occurred, assess the damage and required response, and put IT controls in place to address future attacks. This is where identity and access management solutions can help, because they can address the immediate pain while also identifying – and mitigating – other areas of exposure.”
Jes Breslaw, Director of Strategy, EMEA at Delphix:
“Time and time again we have seen that even the most basic breach of personal identifiable information puts consumers at risk. Names, addresses and contact information all hold money-making potential for opportunistic cyber criminals on the dark web. The latest ABTA breach once again reinforces why organisations need to prioritise the development of multi-layered security measures. The challenge has always been that more robust security measures, such as data masking, are expensive and complex tasks that organisations have avoided. Yet encryption alone is not enough.
“With the EU’s General Data Protection Regulation (GDPR) quickly coming down the line then protecting personal identifiable information will become an imperative. Otherwise organisations could risk fines of up to €20m or 4% of annual turnover worldwide. The ABTA provides an important service and this puts into question could they even survive fines in a GDPR era?
“Organisations need to consider new dynamic data platforms that combine data masking with data virtualisation. This can enable them to scale up their data protection to safeguard all copies of sensitive data. Policy is applied just once, with the guarantee that all subsequent copies have the same protective measures applied. Not only will a dynamic data platform like this future proof the business from costly data breaches and ensure compliance but also improve agility and time-to-market.”
Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu:
“It seems as though a day doesn’t go by without a cyber-attack or data breach making the headlines, and unfortunately for Abta, today they are the unlucky ones. With breaches happening like this on a daily basis, it’s vital that both consumers and organisations take a proactive approach when it comes to security. Organisations need to think about what data they need to protect and focus on the integration of threat intelligence and other information sources, to provide the context necessary to deal with today’s advanced cyber threats. They also need to be astute as to what third party organisations they work with and ensure they don’t pose a security threat, as hackers will look for back doors into an organisation through suppliers that might not have as tight security precautions.
“As well as this however, consumers need to ensure they use different passwords for different applications and are aware of the security risks when using payment information. Consumers should consider two factor authentication alternatives where possible, so passwords are rendered useless on their own such as facial, voice, iris, palm and fingerprint biometrics for an additional layer of protection.
“In an era where data is becoming the new currency, all personal data needs to be properly protected. As the number of these threats continue to increase exponentially, no businesses nor consumer can afford for cyber-security not to be their number one priority.
David Mount, Director of Security Solutions Consulting EMEA at Micro Focus:
“As with most data breaches, news of this latest hack from Abta is likely to raise questions around how large organisations are protecting our personal data and keeping passwords safe. In this case the passwords of those affected are encrypted, meaning they will be difficult for an attacker to decipher, but that’s not always the case. One of the reasons why username and password databases make such good targets for hackers is that users apply the same password across many different online services, opening themselves up to broader issues if even one service is compromised.
“In future, we need a more effective way to securely prove who we are without relying solely on passwords as they are no longer useful as a single factor of authentication. The answer could be biometrics, tokens, smartphones, behavioural indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured. Hackers are always looking for new ways to access these databases, and relying on a user to devise (and remember) a sufficiently secure password for each different online account is fundamentally flawed.”
Matthias Maier, Security Evangelist at Splunk:
“The news that the travel trade organisation ABTA has been hit by a cyber-attack is yet another reminder that organisations of all types should expect to be targeted by attackers.
In such a threatening cyber landscape, organisations must have the right response capabilities and processes in place to stifle the impact of malicious and highly destructive assaults. When an organisation finds out that its infrastructure has been breached by criminal activity, its first step should be to understand its scale and scope through the machine data it should have available in its organisation. This is increasingly important due to upcoming requirements put in place by the GDPR regulation regarding breach notification that will come into effect across Europe in 2018.
It looks like ABTA has done its homework and ensured that the third party-provider that hosts its website has been able to remediate the vulnerability and identify what has happened quickly. As a result, ABTA has been able to alert affected customers and the relevant authorities in a timely fashion with a view to mitigating its impact. As we see the number of cyber attacks and breaches grow, having the capability to understand the scale of a breach by analysing all machine generated data from web applications will be key, as will having proper processes and crisis plans in place to respond effectively.”
Chris Hodson, EMEA CISO at Zscaler:
“In an era fast approaching significant regulatory change, it’s worrying that we’re still seeing big name brands jostling for data breach headlines. Even the most trusted and respected household names are repeatedly failing at even the most basic security measures. With personally identifiable information being compromised, rather than prioritised when it comes to protection, we have to question where the gaps in corporate security lie and understand how responsibility should be defined so that businesses can start to fill them.
“Irrespective of where data resides, businesses cannot outsource responsibility. So, as more third party cloud services are adopted, this management of the supply chain must be considered. Especially as the EU GDPR age promises excruciating fines for those who cannot comply. For consumers concerned in the wake of this incident, it will be critical to reconsider passwords. Having a back-up store of various different and complex passwords will mean that they won’t have to rely on corporate enterprise security in the short-term. In the long-term the onus must be flipped back to businesses who are responsible for stress testing their systems, working with third parties and ensuring that nothing slips through the net.”
Lee Munson, Security Researcher at Comparitech.com:
“While no organization can claim to be totally immune to the risk of a data breach, and 43,000 leaked records is, alas, a small figure by today’s standards, the timing could not have been worse for ABTA, given it was due to host a security seminar the very next day. While the CEO was likely telling all those affected by the breach that ABTA ‘takes their security seriously,’ I suspect the CISO and their team were likely running around like chickens.
“Whether that foul was headless or not would very much depend on the level of encryption used by the association – telling customers their passwords were protected with crypto isn’t necessarily that reassuring until we know just what that means exactly. Likewise, saying the information has only been accessed only by the thief is not what I would imagine many of those affected would want to hear either, especially as it is their personal information that has been compromised. Fortunately, ABTA says it will learn from this incident. Given the fact that it was breached through a third party, I suggest it starts with its Access Control and Network Security Policies.
“Meanwhile, forty thousand of its customers should be on the lookout for identity theft and other types of fraud, including phishing emails. They should also consider changing passwords as well as taking other measures to mitigate the post-hack effects they may experience.”
Dr. Anton Grashion, Managing Director, Security Practice at Cylance:
“This type of cyber attack is going to continue to occur, where personally identifiable information is stolen. This data can be used by cyber criminals to apply for loans and credit cards, and the email addresses are often used to send spear phishing emails as part of other attempts at cyber crime
“Until more businesses stop depending on outdated antivirus technology to protect their sensitive data and look to the newer approaches, such as those deploying artificial intelligence to ferret out and prevent the brand-new types of malware from running, more and more ordinary citizens are going to be affected by attacks such as this one.”
Lisa Baergen, Director at NuData Security:
“It is critical that we continue to inform the public about their safety, and the fact that 43,000 records are compromised in this breach bear this out. As disheartening as this is, at this point we shouldn’t be shocked. We can assume our personal records are being shared on the dark web – sometimes years after the breach occurs.
“Any breaches of personal information are of extreme significance and concern. With just a name and email address there are outsized risks from targeted phishing attacks. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches to amass even more detailed profiles of users that are traded and sold to hackers. These bundles of data contain much more complete information about specific individuals providing greater opportunities for fraud to take place. For example, with enough data collected from separate breaches a fraudster can gain access to financial and geographical information with the intent to fill out a loan application or apply for a new credit card. User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the good genuine consumers. This is accomplished by learning how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information stolen from breaches. Using passive biometrics and behavioural analysis fraud can be predicted and prevented from occurring without interrupting a user’s experience.
“The only way we are going to stop these breaches is to devalue the data the fraudsters are going after. Technology is being used by some large banks and merchants that can verify the genuine user even when valid stolen credentials are used. Once this technology is more widespread we look forward to seeing online identity thieves go out of business.”
David Emm, Principal Security Researcher at Kaspersky Lab:
The cyber-attack on the website of ABTA, the travel trade body, is the latest targeting high profile organisations that could possess personal information of thousands, millions or even billions of members (as was the case with the Yahoo hack). In the case of ABTA, hackers may have gained access to members’ e-mail addresses and passwords. ABTA has indicated that the passwords were encrypted, so hopefully the attackers will not be able to make use of them – although ABTA is taking the sensible precaution of advising customers to change their passwords to be on the safe side. Such an attack highlights the importance of providers securing passwords effectively. It’s also important that we all choose sensible passwords to online accounts. Kaspersky Lab recommends the following:
1. Make every password at least 15 characters long – but the longer the better.
2. Don’t make them easily guessable. There’s a good chance that personal details such as your date of birth, place of birth, partner’s name, etc. can be found online – maybe even on your Facebook wall.
3. Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
4. Combine letters (including uppercase letters), numbers and symbols.
5. Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
6. If you don’t feel able to remember lots of unique passwords, use a password manager to help you store and remember your passwords securely