Customers have been left in the dark about a security breach at the British Automobile Association (AA). Though large amounts of data were exposed last month, one of the UK's largest car insurers failed to tell its customers.
A misconfigured server led to the exposure of 13 gigabytes of transaction data on the AA shop. That tranche included a database containing information on over 100,000 customers.
News of the leak surfaced last week and a sample of the leaked data was handed over to tech outlet, Motherboard. Troy Hunt, founder of haveibeenpwned.com, found 117,000 email addresses along with names, IP addresses and credit card details including type, expiry dates and final four digits.
Speaking to Motherboard, security researcher Scott Helme said it also included password hashes, an expired security certificate and a private encryption key – the login to the AA's secure trading account.
The leaky database was first discovered by the AA on April 22 and fixed by April 25. In the time that it had been exposed, it had reportedly been accessed by several unauthorised parties.
An investigation by the AA deemed the leaky data to be not sensitive, meaning that the organisation did not feel it necessary to tell customers.
Given the AA's database was accessed by several unauthorised parties, Ilia Kolochenko, CEO of High-Tech Bridge told SC Media UK, “we should be prepared that the entire 100k database is breached and will be for sale on the Dark Web soon.”
Still, added Kolochenko, “Allegations about the deliberate concealment of the data breach by the AA seem to be highly unlikely for the moment. We can probably speak about a negligent, and thus incomplete, investigation, but nothing more so far.”
Ross Brewer, vice president and managing director of EMEA at LogRhythm, was less forgiving. He told SC, “When organisations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data.” If they don't, then personal data can be left in the open for longer than it should be. “It only takes one hacker to be in the right place at the right time to cause very real damage.”
Come May 2018, there will be repercussions for such lapses under the EU's General Data Protection Regulation (GDPR), which imposes heavy fines for the non-compliant. Brewer added, “Under GDPR, the AA would almost certainly be facing a fine for non-disclosure.”
Under article 83 of the GDPR, data controllers can be fined up to €10 million or two percent of global turnover for failure to notify the supervisory authority about a data breach within 72 hours.
Preventing this kind of thing from happening, and avoiding the resultant fine, will require organisations to have far better visibility over their networks. “While the AA may have won on the detection front, it fell short on the response – and this, is where organisations will face the harshest judgement,” Brewer said.
The AA has started an inquiry into the incident.