Leading U.K. motoring company the AA is the latest to be involved in a data breach scandal that could end up crippling for customers.
AA President, Edmund King, finally confirmed they were informed of the potential vulnerability of the AA Shop data on 22nd April 2017.
The motoring company reportedly misled customers by denying they had any knowledge of the leak and tried to reassure customers that their information was very secure. Researchers weren’t convinced this was the case and so decided to dig deeper, and it has since transpired that AA knew about the vulnerability in their database systems back in April.
The motoring company reportedly told Motherboard that they had fixed the system on 25th April after it was only accessed ‘several times’. Since this ‘fix’, the information of more than 117,000 clients have been found online.
What information was leaked in the AA data breach?
The 13 gigabytes of leaked data included email addresses, purchase histories and full credit card payment information! The payment information even included the expiry dates and last 4 digits of the cards. This could easily allow cyber-hackers to utilise the information to create further damage.
Credit card information is notoriously sold on the black market/dark web. According to McAfee researchers, basic details for Visa, MasterCard, Amex, or Discover cards, which includes the card number and software generated information, can go for $25-$30 (£19-£23) in Europe. With AA exposing their customers’ full credit card information, cyber-hackers could have a field day. The huge database was published for a few days in April.
Motherboard confirmed the leaked information was legitimate after they spoke to some of the customers who were affected by the data breach.
No notification
The company has reportedly yet to contact or notify affected customers. What’s possibly even more surprising is the fact that AA reportedly denied that the leaked information was sensitive in nature. This is even with evidence showing to the contrary. It’s also a no-brainer that credit card information is considered as sensitive information. Who in the right mind wouldn’t think it was sensitive?
The motoring company said it investigated, sampled the data, and came to the conclusion that, because it had only been accessed a few times, it wasn’t considered as sensitive; consequently ending the investigation.
Mr King stated:
“…[we] would like to reassure our AA Shop customers that their payment details have not been compromised.”
Is he deluded? There is clear evidence to show that it has been compromised!!!
He also stated:
“We take any data issues incredibly seriously.”
The contradiction in this statement is incredible. He obviously hasn’t taken it that seriously or he would’ve alerted their customers about the data breach as soon as it happened. His words feel like just empty promises.
If you have been affected by this, we urge you to get in touch with our Data Leak Lawyers as soon as you can!