AA: Our handling of security breach fell short

Breakdown firm apologises after security researchers claim cover up

The AA has admitted that a recent data breach "should have been handled better", apologising to customers after initially denying that credit card information was left at risk as part of the breach, before later acknowledging that it was.

AA President Edmund King said the company was "aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop online had been compromised", adding that it accepts the criticism it should have been more transparent, in an email to affected customers sent on Friday.

Advertisement - Article continues below

The company was notified in April that 13GB of database backups were publicly accessible via an unsecured Amazon Web Services bucket, which it then took offline without notifying customers of the potential data leak - something it will soon have to do under incoming data protection rules.

However, security researchers later discovered that more than 100,000 user accounts of the AA Accessories Shop had been exposed as part of the breach, which the AA blamed on a third-party provider that operates the shopping service.

The breakdown company had previously denied that the "data issue" contained any credit card information, and claimed, in a tweet sent on 3 July, that the matter had been resolved.

However, the company has beencriticised by security researchers who claim its actions amounted to an attempted cover-up, as it tried to downplay the full scope of a data leak that is now known to have included personal information, and "partial payment card information".

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Security analyst and breach notification expert Troy Hunt said that the AA had "consciously elected not to notify subscribers after being alerted to the disclosure of 13GB worth of publicly accessible database backups back in April".

The breach is said to have included the names, email addresses, phone numbers, as well as credit card details of customers who used the AA online shop at any time before January 2017. The company maintains that the information isn't enough to make purchases, and that there is currently no evidence that the data has been exploited.

Customers also complained in June that they had received emails notifying them that their passwords had been changed, and to contact a number for support. At first the AA said it wasn't responsible and that it was investigating the matter, later claiming it was the result of an internal error.

Although customers were advised that their passwords had not been changed and that accounts remained safe, some reported being unable to login.

Advertisement - Article continues below

The AA maintains that there is "no connection" between the recent password blunder and the data breach. "We are obviously sorry about both unrelated incidents and any worry that they have caused," said AA president Edmund King, in a statement sent to IT Pro.

Screenshot courtesy of Troy Hunt

Main image: Bigstock

04/07/2017:AA security breach 'spilled 100,000 customers' personal data'

The AA has admitted to a security issue on its shop website after reports that data including customers' names, addresses, email addresses, and partial credit card information has been exposed on a publicly-accessible server.

The company said in a statement that it was informed of a potential vulnerability involving some AA Shop data on 22 April 2017, adding that it was fixed three days later. In a tweet, the AA added that no credit card information was "compromised".

Advertisement
Advertisement - Article continues below

But Motherboard reports that details of 100,000 AA customers were exposed, sharing details of security researcher Scott Helme's own investigation, and spoke to affected customers who said the AA had never directly informedthem of the breach.

Advertisement - Article continues below

The database relates to an online shop run by the AA offering a selection of vehicle-related goods. The breach first surfaced around a week ago. Security researcher Troy Huntsaidhe had been contacted by someone who claimed to have told the AA that it had a security issue back in April. It was claimed that around 123GB of database backups had been exposed.

Since then the AA has opened an independent inquiry into the issue and informed the UK's data watchdog, the Information Commissioner's Office (ICO), about it.

"Legal letters warning against a dissemination breach under the Computer Misuse Act' will be issued. The ICO has been informed and we have commissioned a full independent investigation into the issue," the AA said in a statement.

"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised."

The ICO said it was aware of an incident involving the AA and would make enquiries.

Advertisement - Article continues below

"When organisations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data," said Ross Brewer, VP & MD of EMEA for security firm LogRhythm. "Failing to do so can, and often does, result in confidential information being left in the wild' for longer than it needs to be. It only takes one hacker to be in the right place at the right time to cause very real damage."

"Cyber criminals could easily be among them [the affected users], meaning that we should be prepared that the entire 100,000 database is breached and will be for sale on the dark web soon," claimed Ilia Kolochenko, CEO at High-Tech Bridge. "However, I would avoid any panic until a first confirmed incident, involving records from the breached database, appears. In any case, victims of the breach are better to cancel their credit cards and change all their passwords if they had same or similar ones for all the accounts."

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/security/vulnerability/356295/microsoft-patches-high-risk-flaws-that-can-be-exploited-with-a
vulnerability

Microsoft releases urgent patch for high-risk Windows 10 flaws

1 Jul 2020
Visit/security/34616/the-top-password-cracking-techniques-used-by-hackers
Security

The top 12 password-cracking techniques used by hackers

12 Jun 2020