An unprotected database belonging to UK auto insurance company the Automobile Association (the AA) has exposed 117,000 online store customers' full names, email addresses, home addresses, IP addresses and details of purchases, along with credit card expiration dates and the last four digits of credit card numbers, Motherboard reports.
Last week, security researcher Troy Hunt tweeted a screenshot that had been forwarded to him, which appeared to show someone alerting the AA to an exposed 13 GB database on April 23, 2017.
Almost two months later, on June 12, the person followed up to ask if users had been notified of the breach, adding, "I am with your company in a different country and would love to think if I was on that I would be told about it."
Two days later, the AA responded, "Upon your original message we investigated and followed up as per the Internal AA Policies."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"The most infuriating aspect of this incident is that the AA knew they'd left the data exposed, they knew it had been located by at least one unauthorized party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone," Hunt told Motherboard.
Acknowledging the Breach
In a statement provided to Motherboard, the AA said, "We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017."
Not reassuringly, company added that the data was "only accessed several times."
"Legal letters warning against a dissemination breach under the 'Computer Misuse Act' will be issued," the AA stated. "The ICO has been informed and we have commissioned a full independent investigation into the issue. We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised."
Separately, on June 26, some customers received emails notifying them that their passwords had been reset -- but the AA told Computer Weekly that the emils had been sent out by mistake. "To be clear, this was not a hack," the company said. "It was an internal error and no data has been compromised."
None of this seems like a model of how to handle a potential breach.
Need for an Incident Response Team
With the average cost of a data breach in the U.S. now at $7.35 million (according to the Ponemon Institute's 2017 Cost of a Data Breach Study), it's crucial for every company that stores sensitive data to have an incident response plan in place.
Companies with an incident response team save, on average, more than $19 per lost or stolen record, according to the Ponemon report.
And there is reason for optimism -- the SANS Institute's 2017 Incident Response Survey [PDF] found that 84 percent of companies now have at least one dedicated incident response team member in place.
Eighty-seven percent of companies surveyed had responded to at least one incident in the past year.
Regarding the AA breach, High-Tech Bridge CEO Ilia Kolochenko told eSecurity Planet that the company's customers should expect the entire database to show up on the Dark Web soon. "In any case, victims of the breach are better to cancel their credit cards and change all their passwords if they had [the] same or similar ones for all [their] accounts," he said.
Still, Kolochenko said it doesn't seem like the AA deliberately concealed the breach. "We can probably speak about a negligent, and thus incomplete, investigation, but nothing more so far," he said. "Hopefully, the AA can clarify the situation and dispel all doubts shortly."