Last week rumours of a potentially serious data breach at UK car insurance company the AA circulated in the security research community. In response, the AA's customer support Twitter account downplayed those fears, and told users that their data remained secure.
However, an exposed server contained sensitive information on over 100,000 AA customers, in many cases including partial credit card data, according to a database obtained by Motherboard. Judging by interviews with victims, the AA never directly informed affected customers either, even though the company says it knew about the breach in April.
"We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017," the AA said in a statement after being approached by Motherboard, adding that the issue was fixed on 25th April.
The database relates to the AA's online store, where customers can buy a wide selection of car accessories, gadgets, and driving test guides. This store is open to those who aren't AA members too. The AA is one of the largest car insurance and breakdown cover companies in the UK.
The data obtained by Motherboard contains 117,000 unique email addresses, as well as full names, physical addresses, IP addresses, details of purchases, and payment card information. Those card details include the last four digits of the credit card and its expiry date.
The data also appears to include a number of password hashes, and according to security researcher Scott Helme, an expired certificate and private encryption key.
"This is essentially the username and password that the AA use to login to their Secure Trading account," Helme wrote in an analysis of the breach shared with Motherboard.
Motherboard spoke to two victims whose information was included in the database.
One confirmed credit card payments they made in 2011 and 2014, as well as their partial payment card data, suggesting that the information contained in the database is indeed related to the AA.
"I have checked with my credit card statements and these were legitimate," the person told Motherboard in an email. The second person confirmed their physical address and that they used the AA store.
According to the AA, the data was "only accessed several times."
"Legal letters warning against a dissemination breach under the 'Computer Misuse Act' will be issued. The ICO [Information Commissioner's Office] has been informed and we have commissioned a full independent investigation into the issue. We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," the AA's statement added. The ICO is the UK's independent body tasked with upholding information rights.
However, it seems the AA never explicitly warned victims of the exposure, even though a researcher said they informed the AA of the data breach months ago.
"A follower just advised they recently notified [the AA] about 13GB of exposed [database] backups," security researcher Troy Hunt tweeted last week. An attached screenshot appeared to show Hunt's follower in a Twitter direct message conversation with the AA.
"In that [directory] is a database backup from your website," the person told the AA in April, according to the screenshot.
It is commonly seen as good practice for companies to be as transparent as possible to their customers around data breaches, and informing them when data is exposed. In this case, the AA decided not to.
"The most infuriating aspect of this incident is that the AA knew they'd left the data exposed, they knew it had been located by at least one unauthorised party and they knew that a six figure number of customers had been impacted, but they consciously elected to keep it quiet and not notify anyone," Hunt told Motherboard in an email.
After some back and forth, it appears the AA removed or secured the exposed database. Indeed, in a public tweet on 26th June, the AA wrote, "This incident was related to the AA shop & retailers' orders rather than sensitive info. It was rectified and taken seriously."
Got a tip? You can contact this reporter securely on Signal at +44 20 8133 5190, OTR chat at firstname.lastname@example.org , or email email@example.com
Around two months after allegedly reporting the breach, the person followed up, and asked the AA if the company ever informed victims, according to the screenshot.
"Upon your original message we investigated and followed up as per the internal AA Policies," the AA replies. The company also seemingly reset a number of user's passwords, but blamed it on an 'internal error'.
"No data has been compromised," the AA told Computer Weekly at the time.
But our reporting suggests otherwise: the data was publicly available on the internet, was obtained by a third party, and was shared with multiple researchers and Motherboard. And both victims reached by Motherboard said the AA has not informed them of the data breach.
"I've not heard anything from the AA," one said. Neither of these people had user accounts with the AA, meaning that while the AA had exposed personal data, a password reset would have been useless for them.
An ICO spokesperson told Motherboard in an email, "Businesses and organisations are obliged by law to keep people's personal information safe and secure. We are aware of an incident involving the AA and are making enquiries."
Update: This piece has been updated to include comment from the ICO.
Get six of our favorite Motherboard stories every day by signing up for our newsletter .