A cyber attack on the website of travel trade organisation Abta may have affected around 43,000 individuals. The organisation said around 1,000 files which may include “personal identity information” of holidaymakers who had made complaints about Abta members could have been involved in the attack, which happened on February 27.
IT security experts from Positive Technologies, OwlDetect, Nexsan, Cylance, Certes Networks, MWR InfoSecurity, Vectra Networks, Netskope, Zscale, Splunk, Micro Focus, Bitglass, Digital Guardian, Avast and SailPoint commented below.
Alex Mathews, Lead Security Evangelist at Positive Technologies:
“The type of attack on ABTA is unfortunately all too common, vulnerable web servers present a ripe target. The organization’s allure to hackers is also amplified by the fact it holds a database of personal information, which can now use for a variety of nefarious means.”
“If the compromised web application was being hosted on the same outsourced server as the illegally accessed database, this is not best practice, the two should be segregated. This is because any breach of the application would likely provide the attacker with access to administrative levels of the database.”
“The focus will now switch to post breach analysis, investigating the compromised servers to ascertain how long the attacker had access to the system, how the breach happened and what can be done to minimize risk. However, this is obviously no comfort to people who have had their data stolen, who should change passwords across the board, everything from email to social networks.”
Professor Richard Benham, Leading UK Expert on Cybersecurity and Security Advisor for Online Service OwlDetect:
“If you’re a customer of ABTA and you are concerned your email address, password or contact details may have been jeopardised, there are a number of steps you can take to reassure yourself and help safeguard your data.
“Firstly, it’s important that you act quickly. Change any passwords which might be affected, especially those which you use elsewhere on the web. New passwords should contain a strong alphanumeric code, including numbers, hashtags and punctuation. It’s also advisable to opt for Two-Factor Authentication whenever possible. This means that, even with your email and password, hackers cannot gain access to a website without first having access to your mobile phone.
“If you’re looking to protect yourself even further, services like OwlDetect can monitor the web and alert you if any of your personal information is leaked.”
Geoff Barrall, COO at Nexsan:
“The ABTA breach brings to light the dangers of trusting critical data to a third-party, web hosting provider. With the AWS outage happening only a few weeks ago, it is clear that there is substantial risk in trusting third party providers with such sensitive data. With advances in private cloud technology organisations can bring data back under the control of corporate IT to mitigate these risks.
On-premises private cloud solutions have come a long way in the last decade and can offer flexibility along with the security that businesses need to survive. With this level of functionality and security available, there is no need for companies to continue to risk their reputation on third party solutions.”
Dr Anton Grashion, Managing Director, Security Practice at Cylance:
“This type of cyber attack is going to continue to occur, where personally identifiable information is stolen. This data can be used by cyber criminals to apply for loans and credit cards, and the email addresses are often used to send spear phishing emails as part of other attempts at cyber crime.
“Until more businesses stop depending on outdated antivirus technology to protect their sensitive data and look to the newer approaches, such as those deploying artificial intelligence to ferret out and prevent the brand-new types of malware from running, more and more ordinary citizens are going to be affected by attacks such as this one.”
Dan Panesar, VP EMEA at Certes Networks:
“The cyber-attack on Abta’s website once again highlights the need for organisations to take cyber-security more seriously. As with any breach, the finger of blame will always point to the organisation as opposed to the third-party security provider. The onus should be on the organisation to not only work with trusted providers, but to take additional steps to encrypt data handled by third-parties in case it falls into the wrong hands. After all, humans are the weak link in the network so by encrypting everything and trusting nothing, organisations can be confident that their data is secure and cannot be exploited by cyber-criminals.
As the number of companies being hit by hackers rises, it is not acceptable for organisations to treat every single cyber-attack as a ‘learning curve’. With the introduction of the new GDPR in 2018, the lessons need to have been learned and action taken. The approach to cybersecurity needs to change or companies could face failure if they do not comply.”
Dave Hartley, Associate Director at MWR InfoSecurity:
“The data breach reported by ABTA today is a powerful example of the dangers of divesting security responsibilities to third party developers and hosting providers.
Attackers will always find the weakest link and traverse the path of least resistance, and all organisations need to be aware that any one of their service providers can expose them to the risk of breach. It doesn’t matter if a company’s own house is in order – they need to make sure that all of their partners hold the same standards of protecting them and their data.
Business’s need to put a great deal of due diligence and consideration into assuring the security of any third-party relationship and their supply chain – but especially any partner or service provider directly responsible for customer data such as a web host.
Attempting to shift focus to third parties will mean little to any customers who are affected by a data breach, and firms need to accept that responsibility ultimately falls at their door, regardless of the source of the breach.”
Matt Walmsley, EMEA Director at Vectra Networks:
“Today’s unfortunate hacking is a stark reminder that businesses need to take extra care with their data and those of their customers.”
“Through a lack of in-house knowledge or in an effort to save costs, businesses and organisations often outsource their web server hosting to third-party providers. However, they need to be aware that when they do this they are essentially outsourcing their security capabilities and robustness to that third party, who may not always be well-placed to evaluate security elements. Businesses must be prepared to vet the security capabilities of their partners and take extra precautions when they have a duty of care over personal information. It’s critical that, wherever a service is hosted, organisations retain the ability to rapidly and accurately detect attacks. In doing so they give themselves the best chance to intervene early and minimise or even defeat the breach. Playing the blame game may dampen the resulting reputational damage of a breach, but it’s unlikely to spare any parties involved from the punishments of GDPR.”
“In the coming days, weeks and even months, consumers who are affected by the breach should remain vigilant and ensure that all their personal accounts are secured. Something as simple as changing a password can make a big difference when it comes to keeping their identity safe.”
Andre Stewart, VP EMEA at Netskope:
“The news that the UK’s largest travel association has been targeted by cybercriminals will concern any holidaymakers who have relied on ABTA. With data from both organisation members and up to 43,000 customers exposed by the hack, many will be wondering if their own accounts, private information and contact details are still secure.
“While the web server system vulnerability has now been fixed and ABTA was quick to alert potential victims alongside the offer of help for those affected, to some extent, the damage has been done. Just this week fraud prevention organisation Cifas revealed that identity theft cases reached record levels in 2016 – and the theft of personal information such as contact details only increases the likelihood of falling victim to fraudsters. This hack serves to remind businesses of their accountability when it comes to the privacy of their customers. The EU General Data Protection Regulation (GDPR) – set to come into effect in May 2018 – will hold businesses accountable for their data practices and will force companies to take active measures to mitigate any threats to personal privacy. There will be hefty fines for those which fall short of these standards.
“Organisations must be able to protect their customers’ privacy and safeguard their data or, in this digital age, they run the risk of becoming a huge target for those cyber criminals testing organisations’ digital defences. In particular, as more data is stored off-premises and in cloud services, organisations need to ensure the correct security controls are in place within their businesses and their suppliers. Remaining vigilant to unusual user behaviour and taking active measures to secure data – especially in the cloud – will be key to protecting customer data and, above all, their privacy.”
Chris Hodson, EMEA CISO at Zscaler:
“In an era fast approaching significant regulatory change, it’s worrying that we’re still seeing big name brands jostling for data breach headlines. Even the most trusted and respected household names are repeatedly failing at even the most basic security measures.
“With personally identifiable information being compromised, rather than prioritised when it comes to protection, we have to question where the gaps in corporate security lie and understand how responsibility should be defined so that businesses can start to fill them.
“Irrespective of where data resides, businesses cannot outsource responsibility. So, as more third party cloud services are adopted, this management of the supply chain must be considered. Especially as the EU GDPR age promises excruciating fines for those who cannot comply.
“For consumers concerned in the wake of this incident, it will be critical to reconsider passwords. Having a back-up store of various different and complex passwords will mean that they won’t have to rely on corporate enterprise security in the short-term. In the long-term the onus must be flipped back to businesses who are responsible for stress testing their systems, working with third parties and ensuring that nothing slips through the net.”
Matthias Maier, Security Evangelist at Splunk:
“The news that the travel trade organisation ABTA has been hit by a cyber-attack is yet another reminder that organisations of all types should expect to be targeted by attackers.
In such a threatening cyber landscape, organisations must have the right response capabilities and processes in place to stifle the impact of malicious and highly destructive assaults. When an organisation finds out that its infrastructure has been breached by criminal activity, its first step should be to understand its scale and scope through the machine data it should have available in its organisation. This is increasingly important due to upcoming requirements put in place by the GDPR regulation regarding breach notification that will come into effect across Europe in 2018.
It looks like ABTA has done its homework and ensured that the third party-provider that hosts its website has been able to remediate the vulnerability and identify what has happened quickly. As a result, ABTA has been able to alert affected customers and the relevant authorities in a timely fashion with a view to mitigating its impact. As we see the number of cyber attacks and breaches grow, having the capability to understand the scale of a breach by analysing all machine generated data from web applications will be key, as will having proper processes and crisis plans in place to respond effectively.”
David Mount, Director of Security Solutions Consulting EMEA at Micro Focus:
“As with most data breaches, news of this latest hack from Abta is likely to raise questions around how large organisations are protecting our personal data and keeping passwords safe. In this case the passwords of those affected are encrypted, meaning they will be difficult for an attacker to decipher, but that’s not always the case. One of the reasons why username and password databases make such good targets for hackers is that users apply the same password across many different online services, opening themselves up to broader issues if even one service is compromised.
“In future, we need a more effective way to securely prove who we are without relying solely on passwords as they are no longer useful as a single factor of authentication. The answer could be biometrics, tokens, smartphones, behavioural indicators, or a blend of these measures – pinpointing the appropriate method always depends on the sensitivity of the information or service being secured. Hackers are always looking for new ways to access these databases, and relying on a user to devise (and remember) a sufficiently secure password for each different online account is fundamentally flawed.”
Eduard Meelhuysen, Head of EMEA at Bitglass:
“ABTA must prioritise data security if it is to maintain customer trust. With GDPR on the horizon, it’s essential that companies use appropriate measures to keep personal data safe. Fast forward to May 2018 and a breach of this scale could well have landed the company with a hefty fine if it was found to have neglected its security responsibilities. At the very least, all sensitive data should be protected with encryption and watermarking – both fairly straightforward technologies that are readily available. Organisations should also consider how they can use the public cloud in place of on-premises infrastructure. Major cloud providers spend more on security personnel and security infrastructure than most enterprise CISOs could ever hope to see in their budgets.”
Thomas Fischer, Threat Researcher and Security Advocate at Digital Guardian:
“The news of ABTA’s third party security breach is further evidence that hackers will exploit any and all vulnerabilities to gain access to sensitive data, including weak links in the supply chain. Enterprises need to secure every point of access to appropriately protect their customers. While many businesses are placing more emphasis on their own data protection these days, it’s easy to forget third parties pose just as much of a risk to security. Simply assuming that suppliers and partners have adequate protection in place isn’t good enough, steps must be taken to ensure that critical customer information is protected regardless of where it is in the supply chain.”
Pete Turner, Consumer Security Expert at Avast:
“It’s bad enough if you have to complain about your holiday to ABTA but then to potentially have your personal information compromised will be of concern to many people.
While it is good that ABTA has already taken steps to not only notify the Information Commissioner and police, but also set up a helpline for people to call if they are concerned, the fact is that consumers can no longer trust companies to keep their data safe. The regular news stories hitting the headlines of data breaches is example of this. It’s important for people to take control of their data and to understand its value. My tips for staying safe online are:
- Secure any online accounts, such as banking or social media, by ensuring they aren’t sharing the same email and password combination. If you are re-using login details across multiple accounts, change them and use two-step authentication if possible, such as a password and a back-up phone number or other account.
- Be alert to suspicious activity on your accounts such as receiving any potentially fake emails. We are in peak holiday booking time and cyber scammers will be taking full advantage of this. If your data is at risk for having been compromised, you should validate these as genuine by contacting the company that sent them directly or visiting their website before taking any of the action suggested by the email.
- Finally, as you would expect, I always recommend having a good internet security product on your PC or mobile devices. Whether you use a laptop or a tablet to access your online accounts, you should always ensure you are as protected as possible against any hacks, phishing tricks or spam emails because as we have seen, we can’t rely on other people to keep us safe online.”
Kevin Cunningham, President and Founder at SailPoint:
“Being exposed as unprepared and ill-equipped to minimise the damage associated with a breach is a fear of any organisation. Today’s organisations house vastly more sensitive data, and so everyone from the executive level down needs to ensure there is a collaborative effort from internal staff to protect that sensitive information and ultimately, the health and longevity of the company.
“In today’s world, it’s a matter of when, not if, a data breach will happen. So the most important factors are prevention, education, and rapid response. When a breach does happen, it’s important to quickly find out how and why it occurred, assess the damage and required response, and put IT controls in place to address future attacks. This is where identity and access management solutions can help, because they can address the immediate pain while also identifying – and mitigating – other areas of exposure.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
