nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Automobile Association under fire for car-crash handling of data breach

Silver badge

Presumably they'll move on from "No credit card information" to "only a few customers".

10
0
Silver badge
Facepalm

Taking it seriously

From the Beeb report linked in the article:

AA president Edmund King said it first learned about the problem with data used for its online shop on 22 April. Soon after discovery, the firm that runs the shop on the AA's behalf was told about the problem.

"They identified the vulnerability and the issue was resolved on 25 April," he said.

...

The AA said it investigated, sampled the data and, because it was not sensitive and only accessed a few times, ended the investigation.

...

"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," said Mr King.

So it took 3 days to rectify after discovery (how long was it exposed before then?) and because it only contained names, email addresses and incomplete credit card information they closed the investigation. I wonder just how casual they might have been if they didn't take data issues incredibly seriously.

12
0

Re: Taking it seriously

Heh. Nice catch. Yet another case where, I suppose, it's best to take "incredibly" in the literal sense.

I certainly don't believe how seriously they take data issues.

7
0
Silver badge

Re: Taking it seriously

"Only accessed a few times"

So that's only a few database dumps making their way round the Internet then. Nothing to bother about.

6
0

Re: Taking it seriously

While it's nice to jump on people for having a security breach and leaking customer data, note that April 22 was a Saturday. The article doesn't say what the server misconfiguration was or how long it took to identify it.

And I can't speak for the other info leaked, but masked card numbers (last 4 digits) is not considered Cardholder Data. Last 4 isn't even considered particularly sensitive, that is why it is printed on register receipts.

3
0
Silver badge

Re: Taking it seriously

I must confess that i don't know the specification for the make up of credit/debit card numbers. I do suspect that, like sort codes, there is read over from the issuing bank. So, knowing that I bank at, say, Coutts whose credit cards are issued by, say, Lloyds, some of the 16 digit number will be within a given range. Now add a definitive last quartet and it just makes the number crunching that much easier.

But its OK, its the AA and, experts as they are in all things motor related, they have reassured me that I need not worry about high tech fraud.

3
0
Silver badge

Seriously?

Unless it has a bit impact on their share price I doubt they'll see it as very serious at all.

Fines etc are just another corporate risk

7
0
Gold badge
Unhappy

So all the details for a nice little phishing scam?

Only question is should it originate from the AA or the card provider?

3
0
Silver badge

Re: So all the details for a nice little phishing scam?

Dear customer,

Due to new "know your customer" regulations, we must ask you to confirm your account details with us within the period of one calendar month. If you fail to do so we will be forced to lock your account and you will have to book an appointment at your local branch with the data we require and two forms of primary ID (what is this?)

Please click here to be taken to our secure page on our Internet banking website where you can confirm the data we need:

- house number

- postcode

- the first 12 digits of your credit card number. For security do not enter the last four.

- CVV number (where is this?)

We thank you for your understanding and co-operation in this important matter.

P. Fisher.

Regulatory Compliance.

15
0
Anonymous Coward

Data loss should always be a red flag event.

...or should that be a Green Flag?

2
0
Silver badge
Coat

Re: Data loss should always be a red flag event.

I think you had to RAC your brains for that one...

1
0
Anonymous Coward

Re: Data loss should always be a red flag event.

Heh Heh ! :-) You're right, I of little brain.

It took me a long time to get there too.

Mine's the bright yellow one with "Fourth Emergency Service" written on the back.

0
0
Silver badge
Go

Update on the story

From Kevin Beaumont with h/t to Troy and Graham Cluley:

https://twitter.com/GossiTheDog/status/883385314470965253

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing