The AA may be in need of some cyber-side assistance of its own following reports that a recent data breach exposed sensitive information such as names, addresses and credit card numbers.
The data breach was first discovered on 22 April, when the motoring group first learned of the breach affecting data used for it’s online shop. AA President Edmund King later confirmed that the issue had been fixed by 25 April, blaming a server ‘misconfiguration’ for giving access to two back-up files that contained orders for maps and other products from retailers and customers.
In contrast to today’s news, the AA then stated that the breach only related to shop orders and contained no sensitive information. Security researcher Troy Hunt, however, found 117,000 unique email addresses as well as names and credit card information after analysing the leak. A separate analysis by Motherboard researcher Scott Helme also found the same data in the cache.
“I have confirmed with many Have I Been Pwned subscribers in the data and they have verified that it’s accurate,” Mr Hunt told the BBC. “They’re customers of the AA and they never received a notification about the data exposure.
“At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.”
However, although two independent investigations iunto the breach have reached the same conclusions, Ilia Kolochenko, CEO of web application security firm, High-Tech Bridge, says that people should not rush to point the finger of blame.
READ MORE: Top 5 worst data breaches to hit the UK
“At the moment, I would abstain from blaming anyone for the incident. Many important technical details are not clear yet, moreover some claims are contradictory.
“A verified journalistic source says that the database, and apparently AA’s entire web shop, were recently accessed by several unauthorized third-parties. Cybercriminals could easily be among them, meaning that we should be prepared that the entire 100k database is breached and will be for sale on the Dark Web soon. However, I would avoid any panic until a first confirmed incident, involving records from the breached database, appears. In any case, victims of the breach are better to cancel their credit cards and change all their passwords if they had same or similar ones for all the accounts.
“Allegations about the deliberate concealment of the data breach by the AA – seem to be highly unlikely for the moment. We can probably speak about a negligent, and thus incomplete, investigation, but nothing more so far. Hopefully, the AA can clarify the situation and dispel all doubts shortly.”