Presumably they'll move on from "No credit card information" to "only a few customers".
Breakdown and car insurance outfit AA has been scolded for its handling of a data breach that spilled customer email addresses and partial credit card numbers. Data from the AA's online shop leaked online in April due to a server misconfiguration. The whoopsie gave access to backup files about orders for maps, motoring …
Tuesday 4th July 2017 13:25 GMT Doctor Syntax
Taking it seriously
From the Beeb report linked in the article:
AA president Edmund King said it first learned about the problem with data used for its online shop on 22 April. Soon after discovery, the firm that runs the shop on the AA's behalf was told about the problem.
"They identified the vulnerability and the issue was resolved on 25 April," he said.
The AA said it investigated, sampled the data and, because it was not sensitive and only accessed a few times, ended the investigation.
"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," said Mr King.
So it took 3 days to rectify after discovery (how long was it exposed before then?) and because it only contained names, email addresses and incomplete credit card information they closed the investigation. I wonder just how casual they might have been if they didn't take data issues incredibly seriously.
Tuesday 4th July 2017 20:10 GMT HereIAmJH
Re: Taking it seriously
While it's nice to jump on people for having a security breach and leaking customer data, note that April 22 was a Saturday. The article doesn't say what the server misconfiguration was or how long it took to identify it.
And I can't speak for the other info leaked, but masked card numbers (last 4 digits) is not considered Cardholder Data. Last 4 isn't even considered particularly sensitive, that is why it is printed on register receipts.
Tuesday 4th July 2017 20:55 GMT Trigonoceps occipitalis
Re: Taking it seriously
I must confess that i don't know the specification for the make up of credit/debit card numbers. I do suspect that, like sort codes, there is read over from the issuing bank. So, knowing that I bank at, say, Coutts whose credit cards are issued by, say, Lloyds, some of the 16 digit number will be within a given range. Now add a definitive last quartet and it just makes the number crunching that much easier.
But its OK, its the AA and, experts as they are in all things motor related, they have reassured me that I need not worry about high tech fraud.
Tuesday 4th July 2017 15:14 GMT John Smith 19
Tuesday 4th July 2017 16:01 GMT Dan 55
Re: So all the details for a nice little phishing scam?
Due to new "know your customer" regulations, we must ask you to confirm your account details with us within the period of one calendar month. If you fail to do so we will be forced to lock your account and you will have to book an appointment at your local branch with the data we require and two forms of primary ID (what is this?)
Please click here to be taken to our secure page on our Internet banking website where you can confirm the data we need:
- house number
- the first 12 digits of your credit card number. For security do not enter the last four.
- CVV number (where is this?)
We thank you for your understanding and co-operation in this important matter.
Wednesday 5th July 2017 08:33 GMT Anonymous Coward