Yes - despite what it says - AA customer credit card data was exposed

The AA’s response has been at best shambolic, and at worst downright deceitful.

Yes - despite what it says - AA customer credit card data was breached

Last night, the AA (the UK's Automobile Association) tweeted that it had resolved a "data issue" on its shop website following reports that sensitive data (including customers' names, addresses, email addresses, and partial credit card information) has been exposed on a publicly-accessible server.

AA tweet

The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry.

Rumours of a data breach involving AA customers first popped up on Twitter over a week ago, when security researcher Troy Hunt said that he had been contacted by someone who had informed the AA of a security problem back in April.

Aa conversation

The data remained accessible for a few days, before finally being secured. But the AA decided not to tell its customers in April (or May, or June) that there had been a problem.

What the AA *did* do was warn customers "urgently" that they should not respond to an email seemingly from the AA about a password change.

The company later confirmed that it had indeed sent the email (albeit "in error") and that no passwords had been changed. Which is curious in itself, because some customers did report that their passwords stopped working, and others described on Twitter how when they contacted the AA's support team via telephone they were told that they had been "hacked".

Aa hacked tweet

Of course, there is nothing to indicate that the bizarre password reset email had anything to do with the earlier security breach.

If you're finding this confusing to follow, you're seemingly nothing like as confused as the AA.

Amid criticism from the security community and growing media interest, the AA's support Twitter account went into overdrive describing the reports of a data breach on its online store as "speculation" and asserting that "credit card details have not been compromised".

Quite how much of the report of a data breach the AA believes to be speculation isn't made clear. And it also doesn't say what's not speculation.

But one thing's for certain. Partial credit card data of AA customers *did* leak out.

Here is a small sample of the data that was exposed through the AA security breach - containing card details such as expiry date and the last four digits of the card number

Credit card data

That's obviously not as bad as full credit card details, but for the AA to downplay the incident and say that "no Credit Card info was compromised" seems wrong on so many levels to me.

With just those last four digits - and accompanying information about the customers' name and contact details - it's easy to imagine how fraudsters could target users, pose convincingly as the AA ("here are the last four digits of your credit card number"), and extract further information that could be maliciously exploited.

Perhaps the AA, and other organisations, would be wise to read Troy Hunt's excellent article about how to properly disclose a data breach. Because the way the AA has handled this incident appears to have been at best shambolic, and at worst downright deceitful.

The Information Commissioner's Office (ICO) have been informed, and the AA says it has brought in independent investigators.

For further discussion of this incident (and the AA's response to this blog post) take a listen to this episode of the "Smashing Security" podcast:

Audio podcast: iTunes | Google Play | Overcast | Stitcher | RSS for you nerds.

Update: AA apologises, and confirms customers' partial credit card data *was* exposed

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

7 Responses

  1. Etaoin Shrdlu

    July 5, 2017 at 7:47 am #

    Judging by the years of junk mail I got from the AA after leaving them, they keep your info forever.

  2. Chris Pugson

    July 5, 2017 at 8:15 am #

    It's the deceit and denial that's the worst thing. The AA is obviously incapable of honesty. There are plenty of alternatives to this bunch of cowboys. Trust is a fragile commodity and the AA has trashed mine.

    Tragically, this is a modern British disease in which high-ups constantly endeavour to control their customers by pulling the wool over their eyes. What they don't or won't get is that the customers are wise to this and become ever more cynical. A big part of the problem is that the high-ups are ignorant of technology and so adopt coping strategies such as resorting to deceit to preserve their jobs and muddle through. Our government and its ministers' inabilty to understand such matters as encryption is an example. This has been coming for more than forty years but the advent of the digital age has brought the issue of the incompetence of delusional high-ups into sharp focus. Dilbert's Pointy-haired Boss symbolises them.

    • Mark Jacobs in reply to Chris Pugson.

      July 5, 2017 at 2:41 pm #

      I couldn't agree more. I wrote this yesterday on another Cluley article :-

      It seems clear to me that the most important systems for society's infrastructure need to have the tightest and best-deployed security measures. NHS, ATC, and all sorts of other systems need the finest and most expert security implementations. However, because of the way these systems are tendered when created, they end up with the cheapest and most traditional solutions, which are inherently inert and difficult to change with the times. The people in charge of these tenders (usually public sector workers under the thumbs of council and other government officials) are some of the least technically-savvy people on the planet (their kids often know far more than they do about these matters!). They always fail to realise that the the most popular, or most traditional solutions are very often not the best to deploy, if increased security is what is required. Systems have to be using the most up-to-date ciphers, transport mechanisms, and DDOS-resilient hardware and software. This is a full-time job since the security landscape is constantly changing. That requires a full-time security team working with the systems on a day-to-day basis. Currently, we have a tender process that gives rise to systems which are often deployed once, managed intermittently and patched only when things have already gone wrong. Ad-hoc teams with no previous experience of that particular system, are then employed under incredible pressure to sort out problems only after the systems have been hacked or have gone wrong. This cannot continue. The government has to spend LOTS of money on this, or else, one day, important infrastructures will be brought to their knees permanently.

      • furriephillips in reply to Mark Jacobs.

        July 10, 2017 at 12:11 pm #

        Reading this, gave me a little daydream; a roving team of hardcore geeks, fighting to improve user involvement & understanding, and fostering sensible IT equipment procurement policies and security awareness – going from department to department & town to town, making logical & sane decisions for long-term system functionality & enabling easy future upgradability, and acting in real-time, to get our systems into line with some simple, basic policies. #PipeDream

    • furriephillips in reply to Chris Pugson.

      July 10, 2017 at 11:35 am #

      I listened to the Smashin' Security podcast in horror, as Graham described the AA's actions & attitude – it's unforgivable – never mind the foolish cause of the breach, the integrity of your actions after the fact, define you.

  3. Keith Scott

    July 5, 2017 at 6:15 pm #

    AA not able to keep their honesty. That is not good news for us.

  4. Phil S

    July 10, 2017 at 11:52 am #

    I hope they are taking this seriously as they just failed PCI DSS compliance. Expiration Date of someones credit card must be protected to be compliant.

Leave a Reply