There’s a famous Britney Spears song: Oops, I did it again. This phrase can easily be attributed to data breaches, which target any industry handling payment card data and personally identifiable information (PII).

It can also be attributed to organizations’ failure once again -- and especially in the data breach-prone accommodations industry --  to demand that third-party providers are PCI compliant, securing sensitive information.

This time, ironically, it was the Association of British Travel Agents (ABTA)’s turn to be the target: its third-party web developer/host’s web server was accessed, exploiting a vulnerability. ABTA insists it knows of no damage, but it does admit that some 1,000 files may have included PII from ABTA members’ customers. ABTA members’ and customers’ passwords may also have been accessed, albeit it was assured that they were encrypted.

So whose fault is it? While the association may place the blame on its provider, ABTA is ultimately responsible for the security of its member data. It’s ABTA who ought to have dug more into its third-party safeguards for PII.

If this happened a year from now, ABTA would have been in breach of the European Union’s General Data Protection Regulations (GDPR) to protect personal data. It wouldn’t get off so easily: GDPR’s hefty fines would make sure of that. ABTA and any other organization in breach might also face investigations by a GDPR policing unit.

Sadly, most members of ABTA may be only vaguely aware of GDPR's existence, let alone its dire implications.

That’s why, especially now, when ABTA itself has been breached, it’s crucial that it, as a leading trade organization, guides its members on best practices for managing and protecting PII and payment card data. ABTA members, however, comprise traditional “brick and mortar” businesses, light on IT investment and low tech. Procurement processes are fragmented and not fully integrated.

The International Association of Travel Agents (IATA) appears to have taken steps to ensure PCI compliance to safeguard data; it has sent out a communication, giving its member agents and potential agents a June 1, 2017 deadline to become PCI compliant; otherwise, they cannot be accredited as IATA agents.

ABTA: time to follow suit. You’re not that innocent.