Last night, the AA (the UK's Automobile Association) tweeted that it had resolved a "data issue" on its shop website following reports that sensitive data (including customers' names, addresses, email addresses, and partial credit card information) has been exposed on a publicly-accessible server.
The AA Shop data issue is now fixed, No Credit Card info was compromised & an independent investigation is under way. We're sorry.
Rumours of a data breach involving AA customers first popped up on Twitter over a week ago, when security researcher Troy Hunt said that he had been contacted by someone who had informed the AA of a security problem back in April.
The data remained accessible for a few days, before finally being secured. But the AA decided not to tell its customers in April (or May, or June) that there had been a problem.
What the AA *did* do was warn customers "urgently" that they should not respond to an email seemingly from the AA about a password change.
The company later confirmed that it had indeed sent the email (albeit "in error") and that no passwords had been changed. Which is curious in itself, because some customers did report that their passwords stopped working, and others described on Twitter how when they contacted the AA's support team via telephone they were told that they had been "hacked".
Of course, there is nothing to indicate that the bizarre password reset email had anything to do with the earlier security breach.
If you're finding this confusing to follow, you're seemingly nothing like as confused as the AA.
Amid criticism from the security community and growing media interest, the AA's support Twitter account went into overdrive describing the reports of a data breach on its online store as "speculation" and asserting that "credit card details have not been compromised".
Credit Card details have not been compromised, much of this is speculation.
— The AA (@TheAA_Help) July 3, 2017
Quite how much of the report of a data breach the AA believes to be speculation isn't made clear. And it also doesn't say what's not speculation.
But one thing's for certain. Partial credit card data of AA customers *did* leak out.
Here is a small sample of the data that was exposed through the AA security breach - containing card details such as expiry date and the last four digits of the card number
That's obviously not as bad as full credit card details, but for the AA to downplay the incident and say that "no Credit Card info was compromised" seems wrong on so many levels to me.
With just those last four digits - and accompanying information about the customers' name and contact details - it's easy to imagine how fraudsters could target users, pose convincingly as the AA ("here are the last four digits of your credit card number"), and extract further information that could be maliciously exploited.
Perhaps the AA, and other organisations, would be wise to read Troy Hunt's excellent article about how to properly disclose a data breach. Because the way the AA has handled this incident appears to have been at best shambolic, and at worst downright deceitful.
The Information Commissioner's Office (ICO) have been informed, and the AA says it has brought in independent investigators.
For further discussion of this incident (and the AA's response to this blog post) take a listen to this episode of the "Smashing Security" podcast:Subscribe: iTunes | Google Play | Overcast | Stitcher | RSS for you nerds.