Over 100,000 customers’ emails and card data left exposed after breach
UK car insurance firm AA reportedly left over 100,000 customers personal and sensitive information exposed and failed to notify customers about their leaked data, despite having been aware of a potential breach in their systems. The data was reportedly leaked via an exposed server, which contained a database linked to AA’s online store.
The exposed data reportedly included 117,000 unique email addresses, full names, addresses, IP addresses, details of purchases, as well as the last four digits and expiry data of credit cars.
On 26 June, AA customers received password reset emails, however, the firm told Computer Weekly that an “internal error” and “not a hack” resulted in some customers receiving the email and that “no data has been compromised.” The firm also claimed at the time that the incident was “related to the AA shop and retailers’ orders rather than sensitive info.”
However, security researcher Troy Hunt took to Twitter to shed further light on the incident. One of Hunt’s followers allegedly warned AA about an insecure database exposing 13GB of data in April. The issue was resolved on 25 April, however, the firm refrained from informing its customers about the incident. It remains unclear as to how long the data remained exposed before AA was notified about it.
“We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017,” the AA told Motherboard. According to the firm, the data was “only accessed several times.”
According to security researcher Scott Helme, the leaked data also includes password hashes and private encryption key. “This is essentially the username and password that the AA use to login to their Secure Trading account,” Helme said.
“The most infuriating aspect of this incident is that the AA knew they’d left the data exposed, they knew it had been located by at least one unauthorised party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone,” Hunt told Motherboard.
Security researcher Bob Diachenko of Kromtech Security, which hunts for data breaches, told IBTimes UK that such incidents generally occur when businesses fail to incorporate basic security practices. According to the researcher, breaches and leaks more often occur, not as a result of a malicious hack, rather due to organisations’ “ignorance” or lack of implementation of basic security protocols.
The AA has since tweeted out an apology to its customers, adding that the issue is “now fixed” and that no credit card information was compromised. The firm also said that it is conducting an independent investigation into the matter.