Credit Card Information on 117,000 Customers Exposed in U.K.
The AA, a U.K. motoring organization that provides car insurance, loans, and driving lessons, confirmed that their online store has been compromised. The email addresses, purchase histories, and partial payment card details of 117,000 customers were exposed.
The company is facing criticism as they initially denied any knowledge of the breach, but Motherboard reports the company knew of the breach as early as April, yet they did not notify customers. The company has since confirmed there was a data breach but maintains that no sensitive information was leaked. A server misconfiguration has been blamed for the incident. Apparently, two back-up files that contained customer information were mistakenly publicly posted on April 22. AA President Edmund King said the issue was resolved by April 25.
Two independent security experts claim that sensitive information was exposed. Troy Hunt of Have I Been Pwned obtained copies of the data and found email addresses, net addresses, credit card types, expiration dates, and the final four digits of payment cards. Scott Helme of Motherboard conducted his own analysis and found the same information.
“I have confirmed with many Have I Been Pwned subscribers in the data and they have verified that it’s accurate,” Mr. Hunt told BBC. “They’re customers of the AA and they never received a notification about the data exposure.”
In the U.K., there is no legal obligation for companies to report security breaches, but it is the norm for companies to release this information to their customers. Also, the Information Commissioner Elizabeth Denham believes serious breaches should be reported to her office.
This is not the first breach U.K. motorists have faced this year. Just a few months ago, a breach at RingGo exposed the data of nearly 2,000 drivers.