back to article Automobile Association under fire for car-crash handling of data breach

Breakdown and car insurance outfit AA has been scolded for its handling of a data breach that spilled customer email addresses and partial credit card numbers. Data from the AA's online shop leaked online in April due to a server misconfiguration. The whoopsie gave access to backup files about orders for maps, motoring …

  1. Doctor Syntax Silver badge

    Presumably they'll move on from "No credit card information" to "only a few customers".

  2. Doctor Syntax Silver badge
    Facepalm

    Taking it seriously

    From the Beeb report linked in the article:

    AA president Edmund King said it first learned about the problem with data used for its online shop on 22 April. Soon after discovery, the firm that runs the shop on the AA's behalf was told about the problem.

    "They identified the vulnerability and the issue was resolved on 25 April," he said.

    ...

    The AA said it investigated, sampled the data and, because it was not sensitive and only accessed a few times, ended the investigation.

    ...

    "We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," said Mr King.

    So it took 3 days to rectify after discovery (how long was it exposed before then?) and because it only contained names, email addresses and incomplete credit card information they closed the investigation. I wonder just how casual they might have been if they didn't take data issues incredibly seriously.

    1. jtaylor

      Re: Taking it seriously

      Heh. Nice catch. Yet another case where, I suppose, it's best to take "incredibly" in the literal sense.

      I certainly don't believe how seriously they take data issues.

    2. Dan 55 Silver badge

      Re: Taking it seriously

      "Only accessed a few times"

      So that's only a few database dumps making their way round the Internet then. Nothing to bother about.

    3. HereIAmJH

      Re: Taking it seriously

      While it's nice to jump on people for having a security breach and leaking customer data, note that April 22 was a Saturday. The article doesn't say what the server misconfiguration was or how long it took to identify it.

      And I can't speak for the other info leaked, but masked card numbers (last 4 digits) is not considered Cardholder Data. Last 4 isn't even considered particularly sensitive, that is why it is printed on register receipts.

      1. Trigonoceps occipitalis

        Re: Taking it seriously

        I must confess that i don't know the specification for the make up of credit/debit card numbers. I do suspect that, like sort codes, there is read over from the issuing bank. So, knowing that I bank at, say, Coutts whose credit cards are issued by, say, Lloyds, some of the 16 digit number will be within a given range. Now add a definitive last quartet and it just makes the number crunching that much easier.

        But its OK, its the AA and, experts as they are in all things motor related, they have reassured me that I need not worry about high tech fraud.

  3. 0laf

    Seriously?

    Unless it has a bit impact on their share price I doubt they'll see it as very serious at all.

    Fines etc are just another corporate risk

  4. John Smith 19 Gold badge
    Unhappy

    So all the details for a nice little phishing scam?

    Only question is should it originate from the AA or the card provider?

    1. Dan 55 Silver badge

      Re: So all the details for a nice little phishing scam?

      Dear customer,

      Due to new "know your customer" regulations, we must ask you to confirm your account details with us within the period of one calendar month. If you fail to do so we will be forced to lock your account and you will have to book an appointment at your local branch with the data we require and two forms of primary ID (what is this?)

      Please click here to be taken to our secure page on our Internet banking website where you can confirm the data we need:

      - house number

      - postcode

      - the first 12 digits of your credit card number. For security do not enter the last four.

      - CVV number (where is this?)

      We thank you for your understanding and co-operation in this important matter.

      P. Fisher.

      Regulatory Compliance.

  5. Anonymous Coward
    Anonymous Coward

    Data loss should always be a red flag event.

    ...or should that be a Green Flag?

    1. Korev Silver badge
      Coat

      Re: Data loss should always be a red flag event.

      I think you had to RAC your brains for that one...

      1. Anonymous Coward
        Anonymous Coward

        Re: Data loss should always be a red flag event.

        Heh Heh ! :-) You're right, I of little brain.

        It took me a long time to get there too.

        Mine's the bright yellow one with "Fourth Emergency Service" written on the back.

  6. Tom Paine
    Go

    Update on the story

    From Kevin Beaumont with h/t to Troy and Graham Cluley:

    https://twitter.com/GossiTheDog/status/883385314470965253

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like