Why AA didn’t inform customers after a massive data leak

A backup containing sensitive information on more than 100,000 AA customers was exposed online, but the company didn’t disclose the incident.

UK car insurance company AA is being heavily criticized over its handling of a data breach that exposed customer email addresses and partial credit card number in April.

A server misconfiguration is the root cause for the exposure of data from the AA’s online shop. The issue exposed backup files containing orders for maps, motoring accessories and other products.

The incident was publicly disclosed last week when security experts Troy Hunt criticized the way AA has downplayed a massive data breach that exposed about 13GB of DB backups.

The AA confirmed the incident affected AA shop & retailers orders rather than sensitive info. It was rectified & we take this seriously.”

According to Troy Hunt, the leak exposed also partial payment details (the last four figures of credit card numbers) of the users and other sensitive information.

According to Motherboard the leaked dump contains 117,000 unique email addresses as well as portions of credit card data.

“The data obtained by Motherboard contains 117,000 unique email addresses, as well as full names, physical addresses, IP addresses, details of purchases, and payment card information. Those card details include the last four digits of the credit card and its expiry date.” states the blog post published by Motherboard.

“The data also appears to include a number of password hashes, and according to security researcher Scott Helme, an expired certificate and private encryption key.”

“This is essentially the username and password that the AA use to login to their Secure Trading account,” Helme wrote in an analysis of the breach shared with Motherboard.”

Even is a small portion of a credit card number has been exposed, this data can be used for identity verification exposing the owners to identity theft.

The ICO confirmed it is aware of the incident and that it is investigating the case.

“Businesses and organisations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries.” an ICO spokesperson told El Reg.

According to the AA, the data was “only accessed several times.”

“Legal letters warning against a dissemination breach under the ‘Computer Misuse Act’ will be issued. The ICO [Information Commissioner’s Office] has been informed and we have commissioned a full independent investigation into the issue. We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised,” reads the statement from AA. 

A few days ago, the UK car insurance company accidentally sent out a ‘password update’ email to its customers, at the time the incident declared the problem was caused by a human error.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – voluntary disclosure, data leak)

[adrotate banner=”13″]