Cyber Incident Victim: Association of British Travel Agents

The Association of British Travel Agents (ABTA), the UK's largest travel trade organisation, experienced a cyberattack on its website discovered on 1 March 2017. Unauthorised access occurred on 27 February 2017, compromising approximately 1,000 files containing sensitive data affecting 43,000 UK holidaymakers and travel agents. The breach exposed personal information submitted through ABTA's complaint system since 11 January 2017, including consumer contact details, email addresses, and encrypted passwords. Approximately 650 files contained personal identity information of ABTA members, while other compromised data included customer complaint registration details and membership support documents uploaded by ABTA-registered travel agents. The organisation governed travel industry complaints procedures, making its systems a repository for consumer grievances requiring personal identifiers.

Upon detecting the breach, ABTA immediately notified its third-party website suppliers who patched the vulnerability. The organisation engaged security risk consultants to assess the incident's scope, with technical specialists confirming web server access by attackers. ABTA began direct notifications to affected consumers and members, establishing a dedicated helpline (020 3758 8779) for concerned individuals. Chief Executive Mark Tanzer publicly apologised for the anxiety caused and confirmed the London Metropolitan Police had launched an investigation. The incident created significant identity fraud risks due to exposure of personally identifiable information, including names, addresses, and contact details that could be exploited by cybercriminals. The timing highlighted data protection challenges ahead of the EU's impending GDPR regulations, which threatened substantial fines for non-compliance.