UK Car Insurance Company Suffers Data Breach from an Exposed Server

Media Division | July 3, 2017

Data breaches can be one of the most damaging things to happen to an organization. The damage extends beyond just the potential data and financial loss of the initial incident. A data breach of great severity can truly cause an organization to fail under certain conditions. Far too many organizations continue to fall victim to data breaches as a result of unsecured systems and databases, or neglected security points. In yet another incidence of this, a UK car insurance company called the AA has suffered quite a severe data breach, which resulted in the exposure of a large amount of customer data.

A rumor of the data breach had initially circulated sometime last week, and the customer support Twitter of the AA had tried to make it seem less by stating that customer’s information was secure. Unfortunately, this was far from the case according to reports. Apparently, an exposed server had actually contained a wealth of customer information from around 100,000 individuals. In some cases, the data even included partial credit card data, such as the last 4 digits of the card number and expiration date. Further exposed information included password hashes, email addresses, names, addresses, purchase information, and IP addresses. As a blatant mistake on the part of the AA, interviews with victims of the breach have seemed to indicate that the company had never directly or officially informed customers of the incident. After the AA had been confronted by Motherboard, who had obtained the database, they then said in a statement, “We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017.” They further said that the issue was resolved on April 25th, and yet they had not notified anyone for months.

The AA’s Negligence in Handling the Breach

Inappropriate handling of a data breach like this, unfortunately, occurs far too often. It can sometimes be a bit more understandable if the company is investigating the incident further before notification, or if they did not know about it. But, the above seems like a case of pure neglect. The AA had been fully aware of the vulnerability and yet did not say anything about the effects until they were actually confronted with evidence of it. This is completely unacceptable behavior for an organization. Many organizations are in charge of far too much digitally stored data to be neglectful about security. The fact that they did not notify their customers is likely going to have an extremely large impact on their reputation, especially being that they had said last week that customer data was secure.

Mitigating an Incident with Data Breach Solutions

When an incident is actually addressed correctly, unlike the above, there are many different actions that need to be taken, all of which come under the heading of data breach solutions. This can include things like fixing the immediate vulnerability, finding out how it occurred, notifying the affected public, and if resulting from an attacker, tracing the source. As mentioned above, an organization can tank when they do not correctly handle a data breach. If they don’t fail as a result of a financial loss, they could fail due to losing customers who no longer trust them. Especially when an organization apparently tries to obscure and hide the breach, which appears to have been the case with the AA. Massive Alliance offers a series of data breach solutions that can help an organization to correctly mitigate an incident.

Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.