Last week there were several rumours circling on the internet that thousands of individuals’ private information, including credit card details, found their way online after leading UK motoring organization, The AA – which provides car insurance, loans, driving lessons, and other products and services discovered that its online store had been compromised.
The leak included email addresses, purchase histories and worst of all, full credit card payment information, including the last four digits of the cards in question amongst other personal details.
We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017,
The biggest issue came when the AA denied any knowledge of the leak and assured clients that their information was in fact secure. After continued back and forth between researchers and the company, it was revealed that the AA knew about the vulnerability in their systems in April, and told Motherboard, that it was fixed after it was only accessed ‘several times’. But since then, information found its way online and Motherboard obtained a database of over 117,000 clients’ details.
Although there is no legal obligation on data controllers to report breaches of security which result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to the attention of her Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA,
Motherboard confirmed that the information was legitimate, after verifying some of the data with several of the clients affected by the leak. So far the AA hasn’t notified its clients of the breach, and continue to uphold that the data that was leaked was not sensitive in nature, even with the evidence to the contrary. Although the AA has no obligation to report these issues to their clients, it’s usually the norm for companies to be as transparent as possible when a breach does occur.