Further to the AA data breach that occurred on 22nd April 2017, there’s been further backlash as AA reportedly failed to notify customers of the breach.
The personal information that was breached related to customers of the AA’s online shop, operated by a third party, which sells maps, car accessories and other products to retailers and individuals.
Due to a server malfunction, personal data stored on two database backup files was accessible to the public.
The AA data breach saga arguably got worse when it transpired that AA failed to notify their 117,000 affected customers. Security researcher, Troy Hunt, posted a Twitter conversation between one of his contacts and the insurance company informing them of the data breach where over 13 GB of data was exposed.
The exposed data included names, email addresses, passwords, IP addresses and credit card information. The credit card information consisted of expiry dates, credit card types and the last four digits of the long card number.
It seems completely nonsensical for AA to suggest that ‘no sensitive information’ was compromised, when that’s clearly not the case.
Has the breach been taken seriously?
In a Twitter response, AA stated:
“…this incident was related to the AA shop & retailers’ orders rather than sensitive info[.] It was rectified and taken seriously.”
The severity and seriousness is obviously debatable. Reportedly, AA didn’t even notify their customers of the breach when it happened, and secondly they tried to argue the breach didn’t involve sensitive information.
Their conduct is certainly questionable…
Is there a legal obligation to report data breaches?
Although there isn’t always a legal obligation to notify customers of a data breach, the Information Commissioner’s Office (ICO) say it’s good practice for data controllers to report breaches resulting in loss, release, or corruption of personal data. For the most serious breaches, they must be brought to the attention of the ICO.
They ICO can assess whether the data breach is as a result of the data controller’s failure to adhere to rules set out in the Data Protection Act (DPA), and what responsibilities they have. Unfortunately, ‘serious breaches’ aren’t clearly defined in the ICO’s guidance notes, but their notes suggest breaches should be reported in circumstances as follows:
- If there’s detriment to the customers (data subjects). Detriment can include: exposure to identity theft through the release of non-public identifiers e.g. passport numbers. Information that constitutes to a private aspect of someone’s life e.g. financial or medical circumstances.
- The volume of personal data lost, released and/or corrupted. There’s a presumption that a large volume of data loss should be reported to the ICO, and where there’s a real risk the people involved would suffer harm. This is very subjective and each case will be assessed on its own merits.
- The sensitivity of personal data lost, released and/or corrupted. There’s a presumption that, even where smaller amounts of personal data is breached, if the release of that data would cause substantial detriment, including substantial distress, this must be reported to the ICO. If there’s uncertainty on whether to report or not, there’s a presumption in favour of reporting it.
AA’s lax attitude
Mr Hunt contacted customers who found out their data was breached through the website Have I Been Pwned. They confirmed AA didn’t notify them of the breach.
Mr Hunt states:
“…at no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.”