A couple of days ago reports came in that The Automobile Association (The AA), a British motoring association suffered a massive data breach. As a result, 13GB of its highly sensitive customer and financial data was exposed online.
The AA denied that the leaked data contained any sensitive information but Scott Helme, a cyber-security researcher who discovered the data online disclosed that an unprotected AA server contained personal and sensitive information of more than 100,000 customers including names, email addresses, and payment card numbers.
In reply, the president of the company Edmund King claimed that they were already aware of the problem and conducted an investigation to address the issue. Upon investigating “misconfiguration” was discovered which allowed public exposure of two backup files containing information regarding AA Shop orders for items such as maps, retailers, and some personal customers.
The firm running the shop was informed about the issue. King further claimed that since the data was accessed just a few times, it led them to conclude their investigation. The whole process took place between 22 April to 25 April 2017.
However, Troy Hunt, founder of Have I Been Pwned website begged to differ and contacted BBC with his analysis revealing that he found 117,000 unique email addresses of The AA customers along with their names, IP addresses, credit card types, final four digits of the card and their expiry date.
Here is a tweet from Hunt showing a screenshot of a chat between him and AA’s representative back in April.
Hunt also contacted some of the customers who had their data exposed due to “misconfiguration” who revealed to him that they never received any security notice or email notification about the breach.
This is feedback from @haveibeenpwned subscribers who were in exposed data from @TheAA_UK. This includes confirmation of credit card data pic.twitter.com/PWGYxxJSh3
— Troy Hunt (@troyhunt) July 3, 2017
Scott Helme, on the other hand, conducted his own investigation and told MotherBoard that he found similar data as mentioned by Hunt. However, according to Tweets sent by The AA yesterday, the company is still denying that customers’ credit card data was ever leaked.
https://twitter.com/TheAA_UK/status/881940665822785536
In reply, a security journalist Graham Cluley shared a screenshot on Twitter showing credit card data of AA Travel Shop including last four digits of a credit card number, card type, security code, state and expiry date.
Nevertheless, despite being given proof by three security researchers about credit card data leak The AA is sticking with its claim that no payment card data was leaked. What’s more irritating for customers is that they were never informed about the breach until the researchers exposed the incident on Twitter.
This is not the first time when a misconfigured database exposed personal data of its users. It is also not something new that misconfiguration was blamed for the data breach.
In the past, 191 Million US voter registration data (more info), Mexico’s entire voter database (more info), 13 million MacKeeper data (more info), 1.5 million users data of a dating site (more info), sensitive data of explosive handling company (more info), thousands of US Air Force officials data (more info), 200 Million US citizens data (more info), 180,000 accounts from a Voyeur adult website (more info), medical data of Veterans affected by sleep disorders (more info), 8 million business firm accounts from MongoDB (more info) and several other data leaks took place due to misconfigured database issue.