A breach at UK car insurance company, the AA, has exposed information on more than 100,000 customers, including names, email addresses and partial credit card details, according to security researchers.
The company said a server misconfiguration was responsible for the information being openly available on the web for a few days in April of this year. It has been criticized for its handling of the incident: After claiming no sensitive information was included in the exposed cache, the company was called to task when security researcher Troy Hunt said he found 117,000 unique email addresses, names and partial credit card info among the details.
The company never notified its affected customers, he added.
"I have confirmed with many Have I Been Pwned subscribers [Hunt’s website for discovering if personal information is available online] in the data and they have verified that it's accurate," Hunt told the BBC. "They're customers of the AA and they never received a notification about the data exposure. At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.”
He was backed up by a separate analysis from researcher Scott Helme at Motherboard, who found the same personal information amidst the records.
AA president Edmund King said the contractor that the company uses to run its website identified the vulnerability and resolved the issue in two days. He also said that the information was accessed “a few times,” but that AA made the determination that no sensitive information was revealed after doing random sampling—hence no customer notification.
"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," King said in a media statement. The company has not publicly commented on Hunt’s accusations.