AA: Our handling of security breach fell short

Breakdown firm apologises after security researchers claim cover up

The AA has admitted that a recent data breach "should have been handled better", apologising to customers after initially denying that credit card information was left at risk as part of the breach, before later acknowledging that it was.

AA President Edmund King said the company was "aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop online had been compromised", adding that it accepts the criticism it should have been more transparent, in an email to affected customers sent on Friday.

The company was notified in April that 13GB of database backups were publicly accessible via an unsecured Amazon Web Services bucket, which it then took offline without notifying customers of the potential data leak - something it will soon have to do under incoming data protection rules.

However, security researchers later discovered that more than 100,000 user accounts of the AA Accessories Shop had been exposed as part of the breach, which the AA blamed on a third-party provider that operates the shopping service.

The breakdown company had previously denied that the "data issue" contained any credit card information, and claimed, in a tweet sent on 3 July, that the matter had been resolved.

However, the company has beencriticised by security researchers who claim its actions amounted to an attempted cover-up, as it tried to downplay the full scope of a data leak that is now known to have included personal information, and "partial payment card information".

Security analyst and breach notification expert Troy Hunt said that the AA had "consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April".

The breach is said to have included the names, email addresses, phone numbers, as well as credit card details of customers who used the AA online shop at any time before January 2017. The company maintains that the information isn't enough to make purchases, and that there is currently no evidence that the data has been exploited.

Customers also complained in June that they had received emails notifying them that their passwords had been changed, and to contact a number for support. At first the AA said it wasn't responsible and that it was investigating the matter, later claiming it was the result of an internal error.

Although customers were advised that their passwords had not been changed and that accounts remained safe, some reported being unable to login.

The AA maintains that there is "no connection" between the recent password blunder and the data breach. "We are obviously sorry about both unrelated incidents and any worry that they have caused," said AA president Edmund King, in a statement sent to IT Pro.

Screenshot courtesy of Troy Hunt

Main image: Bigstock

04/07/2017:AA security breach 'spilled 100,000 customers' personal data'

The AA has admitted to a security issue on its shop website after reports that data including customers' names, addresses, email addresses, and partial credit card information has been exposed on a publicly-accessible server.

The company said in a statement that it was informed of a potential vulnerability involving some AA Shop data on 22 April 2017, adding that it was fixed three days later. In a tweet, the AA added that no credit card information was "compromised".

But Motherboard reports that details of 100,000 AA customers were exposed, sharing details of security researcher Scott Helme's own investigation, and spoke to affected customers who said the AA had never directly informedthem of the breach.

The database relates to an online shop run by the AA offering a selection of vehicle-related goods. The breach first surfaced around a week ago. Security researcher Troy Huntsaidhe had been contacted by someone who claimed to have told the AA that it had a security issue back in April. It was claimed that around 123GB of database backups had been exposed.

Since then the AA has opened an independent inquiry into the issue and informed the UK's data watchdog, the Information Commissioner's Office (ICO), about it.

"Legal letters warning against a dissemination breach under the Computer Misuse Act' will be issued. The ICO has been informed and we have commissioned a full independent investigation into the issue," the AA said in a statement.

"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised."

The ICO said it was aware of an incident involving the AA and would make enquiries.

"When organisations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data," said Ross Brewer, VP & MD of EMEA for security firm LogRhythm. "Failing to do so can, and often does, result in confidential information being left in the wild' for longer than it needs to be. It only takes one hacker to be in the right place at the right time to cause very real damage."

"Cyber criminals could easily be among them [the affected users], meaning that we should be prepared that the entire 100,000 database is breached and will be for sale on the dark web soon," claimed Ilia Kolochenko, CEO at High-Tech Bridge. "However, I would avoid any panic until a first confirmed incident, involving records from the breached database, appears. In any case, victims of the breach are better to cancel their credit cards and change all their passwords if they had same or similar ones for all the accounts."

Featured Resources

How to scale your organisation in the cloud

How to overcome common scaling challenges and choose the right scalable cloud service

Download now

The people factor: A critical ingredient for intelligent communications

How to improve communication within your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Recommended

Microsoft Exchange targeted by China-linked hackers
zero-day exploit

Microsoft Exchange targeted by China-linked hackers

3 Mar 2021
Malicious ‘dependency confusion’ packages are stealing password files
hacking

Malicious ‘dependency confusion’ packages are stealing password files

2 Mar 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Mar 2021
What is cloud-to-cloud backup?
cloud backup

What is cloud-to-cloud backup?

1 Mar 2021

Most Popular

How to connect one, two or more monitors to your laptop
Laptops

How to connect one, two or more monitors to your laptop

25 Feb 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

26 Feb 2021
Ransomware operators are exploiting VMware ESXi flaws
ransomware

Ransomware operators are exploiting VMware ESXi flaws

1 Mar 2021