Email addresses and personal details belonging to 43,000 British holidaymakers may have been stolen in a cyber attack against Abta’s website.
Data for up to 650 members of the Association of British Travel Agents were exposed in the hack which has put tourists at risk of identity theft or online fraud.
The person or group who infiltrated the website had access to holidaymakers’ contact details and encrypted passwords, and private documents submitted to support complaints about travel firms.
Abta warned its members and customers to take precautions as it announced on Thursday that it recently became aware of “unauthorised access” to the Abta.com web server.
Abta said the vast majority of the 43,000 customers relate to people who have registered on its website or have filled in an online form with basic contact details which are at a “very low exposure risk” to identity theft or online fraud.
The hacker or hackers may have obtained identity information for 1,000 tourists who have uploaded files in support of a complaint about an Abta member since January 11.
Abta said: “This was possible due to a system vulnerability that the infiltrator exploited to access some data provided by some customers of Abta members and by Abta members themselves.”
The organisation said its own IT systems were not hacked, but the web server for the website, managed by a third-party developer and host, was breached on February 27.
It said: “This unfortunately means that some documentation uploaded to the website by Abta members, as well as some information provided by customers of Abta members in support of their complaint about an Abta member, may have been accessed.
The third-party host has fixed the problem.
Abta said it has contacted potential victims, set up dedicate help lines and offered free access to an identity theft protection service from Experian.
Police and the Information Commissioner have been alerted.
Customers and members were advised to change their passwords for Abta.com and other accounts where they use the same password or a variation of it.
They should also remain vigilant regarding online and identity fraud by monitoring bank accounts and their email and social media accounts.
Abta CEO Mark Tanzer said: “Having become aware of the unauthorised access, we immediately notified the third-party suppliers of the Abta.com website who immediately fixed the vulnerability.
“Abta immediately engaged security risk consultants to assess the potential extent of the incident. Specialist technical consultants subsequently confirmed that the web server had been accessed.”
He added: “We are not aware of any information being shared beyond the infiltrator. We are actively monitoring the situation, but as a precautionary measure we are taking steps to warn both customers of Abta members and Abta members who have the potential to be affected.
“I would personally like to apologise for the anxiety and concern that this incident may cause to any customer of Abta or Abta member who may be affected.
“It is extremely disappointing that our web server, managed for Abta through a third party web developer and hosting company, was compromised, and we are taking every step we can to help those affected.
“I will personally be working with the team to look at what we can learn from this situation.”