[BreachExchange] Why AA didn’t inform customers after a massive data leak

Thu Jul 6 19:56:08 EDT 2017

http://securityaffairs.co/wordpress/60696/breaking-news/aa-data-leak.html

A backup containing sensitive information on more than 100,000 AA
customers was exposed online, but the company didn’t disclose the
incident.

UK car insurance company AA is being heavily criticized over its
handling of a data breach that exposed customer email addresses and
partial credit card number in April.

A server misconfiguration is the root cause for the exposure of data
from the AA’s online shop. The issue exposed backup files containing
orders for maps, motoring accessories and other products.

The incident was publicly disclosed last week when security experts
Troy Hunt criticized the way AA has downplayed a massive data breach
that exposed about 13GB of DB backups.

The AA confirmed the incident affected AA shop & retailers orders
rather than sensitive info. It was rectified & we take this
seriously.”

According to Troy Hunt, the leak exposed also partial payment details
(the last four figures of credit card numbers) of the users and other
sensitive information.

According to Motherboard the leaked dump contains 117,000 unique email
addresses as well as portions of credit card data.

“The data obtained by Motherboard contains 117,000 unique email
addresses, as well as full names, physical addresses, IP addresses,
details of purchases, and payment card information. Those card details
include the last four digits of the credit card and its expiry date.”
states the blog post published by Motherboard.

“The data also appears to include a number of password hashes, and
according to security researcher Scott Helme, an expired certificate
and private encryption key.”

“This is essentially the username and password that the AA use to
login to their Secure Trading account,” Helme wrote in an analysis of
the breach shared with Motherboard.”

Even is a small portion of a credit card number has been exposed, this
data can be used for identity verification exposing the owners to
identity theft.

The ICO confirmed it is aware of the incident and that it is
investigating the case.

“Businesses and organisations are obliged by law to keep people’s
personal information safe and secure. We are aware of an incident
involving the AA and are making enquiries.” an ICO spokesperson told
El Reg.

According to the AA, the data was “only accessed several times.”

“Legal letters warning against a dissemination breach under the
‘Computer Misuse Act’ will be issued. The ICO [Information
Commissioner’s Office] has been informed and we have commissioned a
full independent investigation into the issue. We take any data issues
incredibly seriously and would like to reassure our AA Shop customers
that their payment details have not been compromised,” reads the
statement from AA.

A few days ago, the UK car insurance company accidentally sent out a
‘password update’ email to its customers, at the time the incident
declared the problem was caused by a human error.