The AA has suffered its second data security incident in two months. After confusing its members over an apparently non-existent data breach in June, the company has now exposed a very real backup database containing the personal details of a very real 117,000 customers.
Motherboard reports that the exposed data contained full names, IP and residential addresses, and purchase details – including the last four digits and expiry dates of customers’ payment cards.
The AA covered up the breach
The fiasco began on 26 June, when AA members received an email telling them that their passwords had been changed. Fearing a data breach, customers turned to social media for information. The AA tweeted that it was “looking into this urgently”.
A few hours later, the AA sent a follow-up tweet: “The email was sent by us, but in error. Your password hasn’t been changed, and your data remains secure. Sorry for any confusion.”
That same day, security researcher Troy Hunt tweeted that a follower had “notified [the AA] about 13GB of exposed DB backups” in April. Subscribers to Hunt’s Have I been pwned website confirmed the accuracy of the breach, and Motherboard separately confirmed the breach, having received a copy of the exposed data.
In a statement issued to Motherboard, the AA said: “We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017.” It claimed that the issue was fixed on 25 April.
However, given the similarity to the earlier incident and the AA’s surreptitious response, you wonder if the two episodes are connected. Regardless, many experts are concerned by the fact that the AA repeatedly covered up the breach and left its customers in the dark. In an email to Motherboard, Hunt said:
The most infuriating aspect of this incident is that the AA knew they’d left the data exposed, they knew it had been located by at least one unauthorised party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone.
After Hunt tweeted his disappointment at the AA for covering up the breach, the company insisted that no credit card details had been compromised. When asked what details had been compromised, the AA said that it had instigated “a full independent investigation”, so it couldn’t provide any details.
As many Twitter users were quick to pounce on, if the investigation is not complete, how could the AA be certain that credit card details were not involved?
The Information Commissioner’s Office (ICO) is conducting its own investigation.
Know your data protection obligations
It remains to be seen what the ICO’s view on the matter will be, but the incident should be a wake-up call for all organisations. Under the EU General Data Protection Regulation (GDPR), which comes into effect next year, organisations will have 72 hours to report a data breach upon discovering it. Any organisation that fails to do this will be subject to a fine of up to €20 million or 4% of its annual global turnover – whichever is greater.
You can familiarise yourself with your data protection obligations by reading EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this guide is an ideal resource for anyone who wants a primer on the Regulation and advice on complying with it.