Major AA data breach compromised personal details of 117,000 customers

Major AA data breach compromised personal details of 117,000 customers

Orbitz data breach: Hackers stole personal & financial details of 880,000 customers

The AA suffered a major data breach in April that compromised sensitive details of 117,000 customers but failed to notify customers about the breach.

AA initially maintained that the data breach compromised a few orders from customers but no sensitive information was leaked.

The data breach in question has been attributed to a server misconfiguration by the AA and that the information so breached included orders for maps and other products from customers and other retailers from the company's online shop. AA is presently conducting an independent inquiry on the breach and has informed the Information Commissioner's Office about it.

Top five biggest cyber-attacks in the UK

According to Edmund King, the President at AA, investigation on the data breach was closed on April 25 after the vulnerability had been discovered and fixed. The company's internal investigation also found that no sensitive data had been breached and that the affected backup files were only accessed a few times.

"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," he said.

However, Troy Hunt, a security researcher who runs a popular website named Have I Been Pwned, conducted his own investigation into the said data breach. He found that the data contained as many as 117,000 email addresses, names, web addresses, credit card types, final four digits of credit card numbers and expiry dates.

Data breach at University of East Anglia reveals students' personal details

"I have confirmed with many Have I Been Pwned subscribers in the data and they have verified that it's accurate. They're customers of the AA and they never received a notification about the data exposure. At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure," Hunt told the BBC.

“Businesses and organisations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries,” said a spokesperson from the Information Commissioner's Office.

Copyright Lyonsdown Limited 2021

Top Articles

Usability and email security

When employees understand how their behaviour impacts email security, they become much more efficient at detecting scams, preventing data breaches, and protecting sensitive information.

The pen testing guide you never thought you needed, until now…

Security testing should be at the centre of any cyber strategy,

Institute of Cyber Digital Investigation Professionals launched

CIISec & College of Policing are announcing the independent launch of the Institute of Cyber Digital Investigation Professionals (ICDIP)

Related Articles