The Automobile Association (AA) — the UK’s largest motoring organization with over 15 million members — is being heavily criticized over its public handling of a major data incident that occurred in April. A server misconfiguration exposed personal details of more than 100,000 AA Shop customers; but its importance has been consistently downplayed by the organization. Affected customers were not informed.
The incident became public knowledge only last week when security researcher Troy Hunt tweeted that the AA had been notified “about 13GB of exposed DB backups”. The AA responded with what appears to be its first public confirmation, “This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified & we take this seriously.”
AA president Edmund King has since said that for a short period a misconfiguration in the server allowed access to two backup data files. He added, “as the data was not sensitive, and our third-party supplier informed us that the data was only accessed several times, the case was closed.”
Those few accesses were sufficient for both Troy Hunt and Motherboard to get hold of the data. Both confirm that it does contain sensitive data — although not full card details — for 117,000 customers. It includes full names, physical addresses, IP addresses, purchase details, and the last four digits of payment cards together with the expiry date.
This would certainly be enough for the creation of compelling spear-phishing attacks against those customers.
While the incident does not appear to be related to an attack, nevertheless the data was exposed and has been accessed. Motherboard and Troy Hunt have both seen it and have confirmed that it is genuine personal data of AA customers. It is impossible to guarantee that no potential bad actor has also seen it.
“When organizations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data,” comments Ross Brewer, VP & MD EMEA for LogRhythm. “Failing to do so can, and often does, result in confidential information being left ‘in the wild’ for longer than it needs to be. It only takes one hacker to be in the right place at the right time to cause very real damage.”
Ilia Kolochenko, CEO at High-Tech Bridge, agrees that AA customers should be concerned. “A verified journalistic source says that the database, and apparently AA’s entire web shop, were recently accessed by several unauthorized third-parties,” he told SecurityWeek by email. “Cybercriminals could easily be among them, meaning that we should be prepared that the entire 100k database is breached and will be for sale on the Dark Web soon. However, I would avoid any panic until a first confirmed incident, involving records from the breached database, appears. In any case, victims of the breach are better to cancel their credit cards and change all their passwords if they had same or similar ones for all the accounts.”
For now, UK data protection laws do not require a private entity such as the AA to disclose breaches. However, those laws do require that personal data is kept secure. The Information Commissioners Office (ICO — the UK data protection regulator) has been informed of the incident and is investigating.
The need to disclose will change in just over 10 months when the EU’s GDPR comes into force. “If anything,” adds Brewer, “this points to the need for next year’s GDPR enforcement and the tighter policies that will come with it. Under GDPR, the AA would almost certainly be facing a fine for non-disclosure.”
The AA might indeed still face a fine under current legislation. An ICO spokesperson has commented, “Businesses and organizations are obliged by law to keep people’s personal information safe and secure. We are aware of an incident involving the AA and are making enquiries.” The ICO can deliver a fine of up to £500,000 for breach of the Data Protection Act — and it is unlikely to be happy with the AA’s behavior over the incident. Even though the website may have been operated by a third party, the AA remains the data controller and the liable party.
This is the second incident of misconfiguration leading to UK data exposure reported in as many weeks. A misconfiguration exposed email addresses at the UK government’s Cyber Essentials website in June.