Breakdown and car insurance outfit AA has been scolded for its handling of a data breach that spilled customer email addresses and partial credit card numbers.
Data from the AA's online shop leaked online in April due to a server misconfiguration. The whoopsie gave access to backup files about orders for maps, motoring accessories and other products.
Troy Hunt, the security researcher behind the haveibeenpwned website, warned that the leak contained partial payment details (the last four figures of credit card numbers) as well as names and other sensitive information. Expiry dates and the final four digits of payment cards were exposed as a result of the leak, Hunt was able to confirm through subscribers to haveibeenpwned. Analysis of the data obtained by Motherboard - hat tip for the scoop - found 117,000 unique email addresses as well as credit card data snippets.
Hunt said that the last four digits of a card are frequently used for identity verification in explaining his concern about the problem.
In response, the AA played down the significance of the incident, which it said has since been submitted for an independent investigation.
The AA Shop data issue is now fixed, No Credit Card info was compromised— The AA (@TheAA_UK) July 3, 2017
& an independent investigation is under way. We're sorry.
The motoring organisation is yet to respond to follow-up questions from The Register about the breach. The ICO is investigating. An ICO spokesperson told El Reg: "Businesses and organisations are obliged by law to keep people's personal information safe and secure. We are aware of an incident involving the AA and are making enquiries."
Some of the AA customers affected are concerned about a possible cover-up, including security researcher Kevin Beaumont.
Last week the AA created confusion after erroneously telling members to reset their passwords. The association's website buckled under the demand, as previously reported. At the time the AA reassured customers that their data remained secure. ®