AA in dock for not disclosing breach of customer data

AAThe Automobile Association has come under fire for failing to disclose a major data breach which hit the AA Shop website over two months ago, amid claims that the personal details of more than 100,000 customers may have been compromised.
The AA says it first discovered the issue back in April but an initial investigation showed that the data from the site – which is run by a third party – “was not sensitive” and payment details had not been leaked.
However, following claims made by security researcher Troy Hunt, who owns the Have I Been Pwned website, the AA has now launched an independent inquiry into the breach and has also informed the Information Commissioner’s Office.
Hunt said he found 117,000 unique email addresses in the file as well as names, credit card types, expiry dates and the final four digits of the card.
He told the BBC: “I have confirmed with many Have I Been Pwned subscribers in the data and they have verified that it’s accurate. They’re customers of the AA and they never received a notification about the data exposure.
“At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure,” he said. Hunt insisted that discussions with the ICO might take a “decidedly different tone” when it learned about the customer data in the cache.
In a statement by AA president Edmund King, the company said it first learned about the problem on April 22 and it was resolved on April 25. He blamed a server “misconfiguration” for giving access to two back-up files that contained information about orders and some customers.
“We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised,” said King.

Related stories
Red faces at AA as email gaffe triggers hacking panic
AA hails CRM strategy for halting membership crash
AA brings in Informatica for customer data overhaul