UK motoring organisation The AA belatedly admitted late on Friday, July 7th that customer data – including in some cases partial credit card numbers – had been exposed in a recent breach. Security experts gave the confession a frosty response while a specialist IT lawyer said incident response handling of this type would risk severe sanctions when new data protection laws come into effect next May.
The breach affected 117,000 customers of the AA's online accessories store and resulted in the exposure of personal information (names, addresses, phone numbers and email addresses) and, in some cases, partial credit card data (expiry dates and the final four digits of payment cards).
After initially claiming last Monday that no credit card information had been compromised, and after attempting to force security pundit Graham Cluley to pull a post featuring a redacted screenshot of a sample of the leaked data, the AA backtracked late on Friday.
Cluley told The Register: "It's not so much the security incident, it's the god-awful post-incident handling and cover-up that has probably done the most damage. It took them ages to come clean that a breach had occurred at all and, of course, an eternity to 'fess up and notify affected users.
"Even now I haven't seen any statement on their Twitter accounts – where they were still denying the credit card data exposure last week – or on their online store or on their main website. That suggests to me that they're still trying to 'manage' the fallout rather than informing customers about what happened clearly and transparently.
"Clearly the AA should be reading the riot act to whatever third party left their customer data accessible for anyone to see, but they also need to take a long hard look at their own crisis response as it clearly failed badly on this occasion and made an awkward PR situation much worse."
Edmund King, president of the AA, published a blog post and the motoring organisation emailed warnings to customers, admitting some payment card data had been exposed, as previously reported. It conceded that personal information and "encrypted" passwords had also been publicly aired, adding that unnamed external experts were looking into the breach.
"This incident originated from third-party systems outside our own network and did not affect main AA systems such as those processing insurance or membership information," the statement said.
Tell us what's going on
In reaction to an article by fintech expert Neira Jones on data breach incident response, King agreed the AA should have got to the bottom of the problem quicker. Several security researchers were chasing the organisation for answers in the days leading up the breach going public.
For example, Richard De Vere, principal consultant for The AntiSocial Engineer, an expert in penetration testing and social engineering assessments, contacted the AA on June 26 to inquire about both the password reset issue that the organisation claimed was only a false alarm and the discovery of 13GB of publicly exposed backup files. It seems that a server misconfiguration was responsible for the information being openly available on the web for a few days in April.
"The misconfiguration that allowed the backups to be viewed was probably something minor like 'browsable directories' that show you the files on a web server or a lapse HTAccess rule set that didn't make the files forbidden," De Vere told El Reg.
Although much has rightly been made of the leaked partial credit card data, Helme is more concerned about an old certificate and private key (valid between 2008 and 2013) that the AA would use to log into their payment provider that he found among the backups.
"I only saw a tiny snippet of the dump and it contained an old cert and key issued by Secure Trading to The AA Shop," he told El Reg. "If they were still doing the same thing prior to the breach then their 2013 to 2018 cert was most likely in there. They've clearly not followed multiple pieces of guidance set out by ST in their documentation."
Helme and De Vere remain unimpressed by the AA's response. Helme told El Reg over the weekend: "It's still not clear why they maintained their position for so long, despite the evidence presented, before finally admitting they did lose the data. I've also not seen anything mentioned about the certificate and key I found in the data. Were they still logging sensitive data in production up until the breach? Have they investigated with their payment provider to see if anyone used their credentials?"
De Vere added: "The AA had private disclosure of the blog post 10 days prior to publication and flat out declined to comment when asked directly about the contents of the breach. Whilst they have since apologised I now suspect these actions come from the instructions of PR management companies and not the belly of the AA company – who have shown disregard for the humble customer."
In its statement, the AA said: "We are aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop online had been compromised. We accept the criticism that the issue should have been handled better."
This is what the AA's PR handlers – currently working overtime – had to say to The Reg:
We have never denied that there was a problem although some commentators have interpreted 'Credit Card details have not been compromised' on AA Twitter as us denying anything had happened.
That is not the case and what we meant was customers shouldn't be unduly concerned as only partial credit card details were in the field. Obviously on Twitter one is restricted as to the amount we could say. But once we knew we have not ever denied there was a problem. We were trying to put it into context whilst [this] has been misinterpreted by some.
Of course, we wanted to communicate earlier and more definitively but, as no doubt you can understand more than most, we really needed to have the analyse of the data so we knew all the facts.
The Reg has asked the AA follow-up questions based on Helme's concerns about the certificate key. We'll update this story as and when we hear back.
No legal obligation
Dai Davis, a solicitor at Percy Crow Davis & Co and an expert in data protection law, told El Reg that under current UK law there was no legal obligation to notify customers about the suspected leak of financial information.
Medical data, information on sexual preference or trade union membership are defined as sensitive information under the current Data Protection Act but this characterisation doesn't apply to credit card info and the like.
"If the leaked information contained transaction records and these identified that someone bought something that would indicate they were disabled then that would be notifiable," Davis explained.
Even if an item wasn't named but the price was indicated and that matched the price of an item targeted exclusively at the disabled market then the obligation to notify would exist. The AA is covered by rules that apply to most organisations but telecom providers are bound by stricter data privacy rules related to EU Telecom legislation, a factor that meant TalkTalk was obliged to be upfront about its 2015 breach.
Davis claimed the AA had downplayed and obfuscated news about the leak of sensitive data, a strategy that might land it in trouble now that data privacy watchdogs at the ICO are looking into the case.
"Any ICO punishment would take into account the danger of keeping something quiet and how news of the breach came into the public domain," he said.
An ICO spokesperson said: “Businesses and organisations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries.”
Everything changes next May once the GDPR (General Data Protection Regulation) comes into effect, Davis added.
"The change that will come with GDPR is like chalk and cheese. There will be an absolute duty to notify the information commissioner within 72 hours for all breaches. For serious breaches organisations will be obliged to notify customers by email or taking out advertisements in newspapers."
Ross Brewer, vice president and managing director of EMEA at LogRhythm, an IT security conpany, criticised the AA's incident response. "When organisations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data," he said. "Failing to do so can, and often does, result in confidential information being left ‘in the wild’ for longer than it needs to be. Under GDPR, the AA would almost certainly be facing a fine for non-disclosure." ®