UK car insurance and driving school giant The AA has at last admitted it accidentally spilled its customers' personal information all over the web.
In an astonishing U-turn, the motoring biz confessed on Friday that people's names, postal addresses, phone numbers, and email addresses were exposed to the internet – and, in some cases, hashed account passwords and partial payment card numbers. This affects those who have shopped online for car equipment and other gear at TheAA.com.
The admission comes after it emailed folks at the end of June telling them it had reset their passwords: soon after it said it hadn't, and blamed the mass alert on an IT blunder while insisting that customer "data remains secure."
Then it emerged this week that TheAA.com account records plus expiry dates and the final four digits of some payment cards had been accidentally made accessible to the public in a 13GB database backup on The AA's website. Roughly 120,000 accounts were in the bundle, including shoppers' IP addresses and lists of stuff purchased.
That cockup was discovered and reported to the motoring corp in April and quietly rectified with no announcement or warning, just the files disappearing from view – leading to security researchers accusing the biz of a cover up.
Amid an ongoing probe by the UK's data protection watchdog, the ICO, plus an internal investigation, and after giving journalists the silent treatment for days, AA president Edmund King has written to customers apologizing for the kerfuffle. He also blamed an IT supplier for the privacy leak.
"It has taken us a long time to sort this issue out as it was more complex than we thought," King told The Register in an email.
"However we are now contacting all our customers. The process to really find out what happened was difficult, although that’s no excuse."
Below is The AA's statement in response to the security fumble. ®
We are aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop online had been compromised. We accept the criticism that the issue should have been handled better. We are grateful for the support of the information security community in flagging issues to us.
Some of our customers' personal data, given to us when they shopped online at our AA shop, became insecure when our service provider made an error with its computer systems leaving backup data exposed. We took steps to correct this when we were notified of this issue and then commissioned an investigation by external experts. This is ongoing, but we can now share the following information:
- We have notified the relevant authorities.
- We have emailed all of the customers affected with more details. Some emails may still be going through.
- The data affected in all cases included names, addresses, phone numbers and email addresses.
- For some customers who shopped with us prior to October 2014 it will also have included partial payment card information.
- We do not believe customers who only shopped with us after January 2017 to have been affected at all.
- Some encrypted passwords were included in the data. Whilst we do not believe that customer accounts at our AA shop were accessed, we are reminding customers of industry advice that they should consider changing their password if they used it on other sites. We will offer support to our customers. Similarly, while there is no information from customers or our specialist advisors that any data has been used for fraudulent activity, we have reminded customers that they should always look out for phishing and other scams.
- This incident originated from third party systems outside our own network and did not affect main AA systems such as those processing insurance or membership information.
- Nonetheless, it is clear that our supplier's security safeguards in this instance fell short of the high standards that we and our customers rightly expect.
We know that our customers and the information security community expect and trust us to keep information safe and secure, and apologise wholeheartedly for what has happened. We will continue to work hard to keep customer data as safe as possible.
We again thank those of you with an interest in these important matters for your cooperation in helping us improve our data security.