UK car insurance firm AA reportedly left over 100,000 customers personal and sensitive information exposed and failed to notify customers about their leaked data, despite having been aware of a potential breach in their systems. The data was reportedly leaked via an exposed server, which contained a database linked to AA's online store.
The exposed data included 117,000 unique email addresses, full names, addresses, IP addresses, details of purchases, as well as the last four digits and expiry data of credit cars, Motherboard reported.
However, AA president Edmund King reached out to IBTimes UK to stress that customers' card data was "never at risk" and was not exposed."The data incident was related to the AA Shop which is run by a third party website supplier with no links to AA Insurance," King said in an email, adding that a "full independent inquiry" is currently underway.
On 26 June, AA customers received password reset emails, however, the firm told Computer Weekly that an "internal error" and "not a hack" resulted in some customers receiving the email and that "no data has been compromised." The firm also claimed at the time that the incident was "related to the AA shop and retailers' orders rather than sensitive info."
King told us that the password reset emails "was 100% separate."
"The password reset emails were nothing whatsoever to do with the breach. AA shop system is outsourced so completely separate system," King added. "No passwords were affected in AA Shop breach. As I understand the data relates to retail orders of maps, highway codes etc. for other retailers and some private customers."
King however did acknowledge that "Data did include some things in the public domain like addresses of customers who may have bought maps."
However, security researcher Troy Hunt took to Twitter to shed further light on the incident. One of Hunt's followers allegedly warned AA about an insecure database exposing 13GB of data in April. The issue was resolved on 25 April, however, the firm refrained from informing its customers about the incident. It remains unclear as to how long the data remained exposed before AA was notified about it.
"We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017," the AA told Motherboard. According to the firm, the data was "only accessed several times."
According to security researcher Scott Helme, the leaked data also includes password hashes and private encryption key. "This is essentially the username and password that the AA use to login to their Secure Trading account," Helme said.
"The most infuriating aspect of this incident is that the AA knew they'd left the data exposed, they knew it had been located by at least one unauthorised party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone," Hunt told Motherboard.
"Any data breach is serious hence we are looking at legal action," King told us, adding, "we did not feel customers were at risk of fraud as this related to the AA Shop rather than insurance details."
Security researcher Bob Diachenko of Kromtech Security, which hunts for data breaches, told IBTimes UK that such incidents generally occur when businesses fail to incorporate basic security practices. According to the researcher, breaches and leaks more often occur, not as a result of a malicious hack, rather due to organisations' "ignorance" or lack of implementation of basic security protocols.
The AA has since tweeted out an apology to its customers, adding that the issue is "now fixed" and that no credit card information was compromised. The firm also said that it is conducting an independent investigation into the matter.
This article has been updated to include statements from the AA President Edmund King regarding the incident.