AA Criticised For Failing To Notify Customers Of Data Breach

The AA has been criticised for apparently failing to notify more than 100,000 customers that their personal information was exposed in an incident dating back to late April.

The breach was first disclosed to the public last week when the AA acknowledged the breach on Twitter but said it had not involved “sensitive” information.

No notification

That tweet was in response to a message by security researcher Troy Hunt, who posted an alleged direct Twitter conversation between one of his contacts and the AA informing them of the 13 GB of exposed data.

“No data has been compromised,” the AA told Computer Weekly at the time.

But Hunt, who operates the data breach tracking website Have I Been Pwned, later analysed the exposed data and found 117,000 unique email addresses as well as names, IP addresses and credit card types, expiry dates and cards’ final four digits.

Researcher Scott Helme found the same data in an analysis published in part by technology website Motherboard.

Helme found the data also included password hashes used by customers to log into the AA’s online shop.

Hunt told the BBC the breach was “very serious” and told Motherboard the AA’s apparently deliberate decision not to notify customers was “infuriating”.

AA Shop breach

The data relates to customers of the AA’s online shop, which is operated by a third party and sells maps, car accessories and other products to retailers and individuals.

According to researchers, the data appears to have been contained in two database backup files that were left accessible to the public internet due to a server misconfiguration.

“This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified and taken seriously,” the AA said in its original Twitter response.

The company said it learned of the problem on 22 April and notified the firm that operates the shop, which identified the problem and resolved it on 25 April.

The data was “only accessed several times”, the AA said in a statement.

“We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised,” said AA president Edmund King stated.

The AA said it has launched an independent inquiry and notified the Information Commissioner’s Office (ICO).

Password reset confusion

Hunt said he had contacted several of the subscribers to Have I Been Pwned whose details were found in the leaked data, and was told they had received no notification of the breach.

“At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure,” Hunt told the BBC.

According to the ICO, organisations aren’t legally obliged to notify customers in the event of the exposure of their data, but it’s considered good practice, particularly when a large number of individuals are involved.

Last week the AA separately confirmed it had sent some users password reset confirmation emails, but said the messages had been sent in error and that the passwords hadn’t been reset.

It isn’t clear whether that incident had any link to the earlier data breach or its public disclosure.

What do you know about the history of mobile messaging? Find out with our quiz!