The AA suffered a major data breach in April that compromised sensitive details of 117,000 customers but failed to notify customers about the breach.
AA initially maintained that the data breach compromised a few orders from customers but no sensitive information was leaked.
The data breach in question has been attributed to a server misconfiguration by the AA and that the information so breached included orders for maps and other products from customers and other retailers from the company's online shop. AA is presently conducting an independent inquiry on the breach and has informed the Information Commissioner's Office about it.
Top five biggest cyber-attacks in the UK
According to Edmund King, the President at AA, investigation on the data breach was closed on April 25 after the vulnerability had been discovered and fixed. The company's internal investigation also found that no sensitive data had been breached and that the affected backup files were only accessed a few times.
"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," he said.
However, Troy Hunt, a security researcher who runs a popular website named Have I Been Pwned, conducted his own investigation into the said data breach. He found that the data contained as many as 117,000 email addresses, names, web addresses, credit card types, final four digits of credit card numbers and expiry dates.
Data breach at University of East Anglia reveals students' personal details
"I have confirmed with many Have I Been Pwned subscribers in the data and they have verified that it's accurate. They're customers of the AA and they never received a notification about the data exposure. At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure," Hunt told the BBC.
“Businesses and organisations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries,” said a spokesperson from the Information Commissioner's Office.