If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
UK car insurance and driving school giant The AA has at last admitted it accidentally spilled its customers’ personal information all over the web.
In an astonishing U-turn, the motoring biz confessed on Friday that people’s names, postal addresses, phone numbers, and email addresses were exposed to the internet – and, in some cases, hashed account passwords and partial payment card numbers. This affects those who have shopped online for car equipment and other gear at TheAA.com.
The admission comes after it emailed folks at the end of June telling them it had reset their passwords: soon after it said it hadn’t, and blamed the mass alert on an IT blunder while insisting that customer “data remains secure.”
Then it emerged this week that TheAA.com account records plus expiry dates and the final four digits of some payment cards had been accidentally made accessible to the public in a 13GB database backup on The AA’s website. Roughly 120,000 accounts were in the bundle, including shoppers’ IP addresses and lists of stuff purchased.
That cockup was discovered and reported to the motoring corp in April and quietly rectified with no announcement or warning, just the files disappearing from view – leading to security researchers accusing the biz of a cover up.
Amid an ongoing probe by the UK’s data protection watchdog, the ICO, plus an internal investigation, and after giving journalists the silent treatment for days, AA president Edmund King has written to customers apologizing for the kerfuffle. He also blamed an IT supplier for the privacy leak.
“It has taken us a long time to sort this issue out as it was more complex than we thought,” King told The Register in an email.
“However we are now contacting all our customers. The process to really find out what happened was difficult, although that’s no excuse.”
Below is The AA’s statement in response to the security fumble. ®
We are aware of concerns that we fell short in our handling of reports that some personal data from the AA Shop online had been compromised. We accept the criticism that the issue should have been handled better. We are grateful for the support of the information security community in flagging issues to us.
Some of our customers’ personal data, given to us when they shopped online at our AA shop, became insecure when our service provider made an error with its computer systems leaving backup data exposed. We took steps to correct this when we were notified of this issue and then commissioned an investigation by external experts.
We know that our customers and the information security community expect and trust us to keep information safe and secure, and apologise wholeheartedly for what has happened. We will continue to work hard to keep customer data as safe as possible.
We again thank those of you with an interest in these important matters for your cooperation in helping us improve our data security.
By Chris Williams, Editor in Chief
The original article (and image) was originally posted here: http://www.theregister.co.uk/2017/07/08/aa_apology_security_breach/