AA apologises, and confirms customers’ partial credit card data *was* exposed

Graham Cluley

AA apologises, and confirms customers' partial credit card data *was* exposed

AA apologises, and confirms customers' partial credit card data *was* exposed

Earlier this week I wrote about the UK Automobile Association’s shambolic response to a reported data breach of its online accessories store which saw some customers’ personal information and partial credit card data exposed.

The company appeared to be living in denial of the facts, claiming that no credit card data had been compromised…

AA tweet

…even though it clearly had been…

Credit card data

Things took a rather absurd twist when Edmund King, the President of the AA, contacted me suggesting I remove the above graphic as it might be “in breach of the Computer Misuse Act”.

You can listen to the latest episode of the “Smashing Security” podcast to hear just what I thought of that…

Smashing Security #032: 'The iPhone 8, a data breach at the AA, and a mystery no show'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Anyway, the important thing now is that on Friday evening the AA finally admitted that it was wrong. Some payment card information was exposed, as well as other personal information and “encrypted” passwords.

Customers would be wise to be on their guard against scammers, and you would be sensible to ensure that you are not reusing the same password anywhere on the net.

Aa statement

Here is the full text of the AA’s apology:

Important information about our AA Accessories Shop on-line customers’ personal data

We’re sorry.

We are aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop on-line had been compromised. We accept the criticism that the issue should have been handled better. We are grateful for the support of the information security community in flagging issues to us.

Some of our customers’ personal data, given to us when they shopped online at our AA shop, became insecure when our service provider made an error with its computer systems leaving backup data exposed. We took steps to correct this when we were notified of this issue and then commissioned an investigation by external experts. This is ongoing, but we can now share the following information:

  • We have notified the relevant authorities.
  • We have emailed all of the customers affected with more details. Some emails may still be going through.
  • The data affected in all cases included names, addresses, phone numbers and email addresses.
  • For some customers who shopped with us prior to October 2014 it will also have included partial payment card information.
  • We do not believe customers who only shopped with us after January 2017 to have been affected at all.
  • Some encrypted passwords were included in the data. Whilst we do not believe that customer accounts at our AA shop were accessed, we are reminding customers of industry advice that they should consider changing their password if they used it on other sites. We will offer support to our customers. Similarly, while there is no information from customers or our specialist advisors that any data has been used for fraudulent activity, we have reminded customers that they should always look out for phishing and other scams.
  • This incident originated from third party systems outside our own network and did not affect main AA systems such as those processing insurance or membership information.
  • Nonetheless, it is clear that our supplier’s security safeguards in this instance fell short of the high standards that we and our customers rightly expect.

We know that our customers and the information security community expect and trust us to keep information safe and secure, and apologise wholeheartedly for what has happened. We will continue to work hard to keep customer data as safe as possible.

We again thank those of you with an interest in these important matters for your cooperation in helping us improve our data security.

Thank you.
Edmund

Edmund King OBE
AA president

What a difference in attitude a few days makes.

Clearly the data breach notification could have been handled much better. In particular, users should have been informed when the breach was first brought to the AA’s attention in April rather than seemingly swept under the carpet. Still, better late than never I guess…

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

6 Replies to “AA apologises, and confirms customers’ partial credit card data *was* exposed”

  1. Its good to see that The President OBE finally recognised Other Buggers' Efforts ™, albeit reluctantly. The promise to "keep customer data as safe as possible" somehow is less convincing.

  2. Hi Graham,

    Troy Hunt posted links to your podcast and article about this yesterday, in his blog. I added a comment with the link to this latest update article. Also included a plug about you talk during Blackhat, for Codenomi- con. With a link back for registration.

  3. Hi Graham,

    Did you get an appology for the ridiculousness of their takedown request of you graphic?

    Something that occurred to me was that "SecurityCode" element – should that ever be kept?

  4. The 4th emergency service may have a financial emergency of their own from next year if they do not take data security more seriously.
    Under the new GDPR (General Data Protection Regulations) for incidents such as these the maximum fine for a minor incident will be either €10 million (£7.9 million) or 2 per cent of an organisation's global turnover (whichever is greater). If this is deemed a more serious breach then this could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).
    The AA turnover is approaching £1 billion. Maximum fines somewhere in the region £20-£40 million.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES