Reports have surfaced of data breach in April this year in the website shop of motoring / breakdown company the AA which left a large (13 gigabyte) cache of data, including personal customer data viewable online for several days.
Security researcher Scott Helme from ‘Motherboard’, and Troy Hunt of website ‘Have I Been Pwned’ reportedly discovered that a breach in the AA website meant that, what the AA blamed on a server “misconfiguration” actually meant that a huge file, allegedly containing addresses, names and parts of payment card numbers was left exposed online.
Mr Hunt and Mr Helme reported finding 117,000 unique email addresses in the exposed file along with names, net addresses, credit card types, expiry dates and the final four digits of the card.
Motherboard and I Been Pwned subscribers / victims whose information was included in the exposed database were contacted to verify if the details were genuine and accurate, which they were reportedly found to be.
The AA Said…
AA president Edmund King is reported to have said that they first learned about the problem on 22 April. Soon after discovery, the firm that runs the shop on the AA’s behalf was told about the problem, and the vulnerability and the issue was resolved on 25 April. The AA has also reportedly said that, even though the database file was exposed, no (customer) payment details were compromised.
The AA Have Done…
Reports indicate that the AA have stated that they take data security very seriously, opened an independent inquiry into the issue, informed the UK’s data watchdog, the ICO, and issued legal letters warning against a dissemination breach under the ‘Computer Misuse Act’.
The reported criticism of those who discovered and made the details of the breach public appear to focus of accusations that the AA may have not informed of all of the affected customers about the existence and the seriousness of the breach, and may in effect have kept quiet about it until others made it public.
What Does This Mean For Your Business?
This is another in what appears to be a long line of customer data breaches involving high profile, well-known companies. This story is a reminder that, particularly with GDPR coming into force next year, companies need to be very familiar with, and to ensure that they comply with data protection regulations, and to realise that they are obliged by law to keep people’s personal information safe and secure.
Companies need to be as transparent as possible to customers about data breaches, and to inform them when data is exposed, rather than trying to keep quiet.
Businesses can help themselves and their customers avoid heartache by making sure that web and data security are issues that are prioritised, practices and systems are regularly reviewed and assessed for risk to make sure they are effective, compliant, and up to date, and that Disaster Recovery Plans are in place.