The AA has been criticised for apparently failing to notify more than 100,000 customers that their personal information was exposed in an incident dating back to late April.
The breach was first disclosed to the public last week when the AA acknowledged the breach on Twitter but said it had not involved “sensitive” information.
That tweet was in response to a message by security researcher Troy Hunt, who posted an alleged direct Twitter conversation between one of his contacts and the AA informing them of the 13 GB of exposed data.
“No data has been compromised,” the AA told Computer Weekly at the time.
Researcher Scott Helme found the same data in an analysis published in part by technology website Motherboard.
Helme found the data also included password hashes used by customers to log into the AA’s online shop.
Hunt told the BBC the breach was “very serious” and told Motherboard the AA’s apparently deliberate decision not to notify customers was “infuriating”.
The data relates to customers of the AA’s online shop, which is operated by a third party and sells maps, car accessories and other products to retailers and individuals.
According to researchers, the data appears to have been contained in two database backup files that were left accessible to the public internet due to a server misconfiguration.
“This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified and taken seriously,” the AA said in its original Twitter response.
The company said it learned of the problem on 22 April and notified the firm that operates the shop, which identified the problem and resolved it on 25 April.
The data was “only accessed several times”, the AA said in a statement.
“We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised,” said AA president Edmund King stated.
Hunt said he had contacted several of the subscribers to Have I Been Pwned whose details were found in the leaked data, and was told they had received no notification of the breach.
“At no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure,” Hunt told the BBC.
According to the ICO, organisations aren’t legally obliged to notify customers in the event of the exposure of their data, but it’s considered good practice, particularly when a large number of individuals are involved.
Last week the AA separately confirmed it had sent some users password reset confirmation emails, but said the messages had been sent in error and that the passwords hadn’t been reset.
It isn’t clear whether that incident had any link to the earlier data breach or its public disclosure.
What do you know about the history of mobile messaging? Find out with our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…