back to article The AA's copped to credit data blurt, but what about car-crash incident response?

UK motoring organisation The AA belatedly admitted late on Friday, July 7th that customer data – including in some cases partial credit card numbers – had been exposed in a recent breach. Security experts gave the confession a frosty response while a specialist IT lawyer said incident response handling of this type would risk …

  1. chris street

    Not comprimised?

    Someone's been running through my MasterCard and maxing it out. Now since that card is the one used on the AA site, and it's only happened just after the breach occurred.... and I pay good heed to making damn sure details are not kept anywhere for recurring renewals.

    Well it's not absolute proof of course. but there is a bit of smoke about the gun.

    As for their laughable PR disaster in handling this - I think we will be parting ways at next renewal....

    1. Anonymous Coward
      Anonymous Coward

      Re: Not comprimised?

      More likely to be your friendly petrol station or newsagent, rather than this breach...unless the encryption used was piss poor....Hmmmm

      1. Anonymous Coward
        Anonymous Coward

        Re: Not comprimised?

        "More likely to be your friendly petrol station"

        I came on to say the same thing. The data in the leak was no different to what you find in the dustbins on every gas station forecourt where someone pays by credit card, then throws the receipt in the bin as they pass it on the way back to the car. Add to that super market car parks and pretty much any dustbin outside any retail outlets that take credit cards. An old problem made easier with the internet.

        1. Doctor Syntax Silver badge

          Re: Not comprimised?

          " The data in the leak was no different to what you find in the dustbins on every gas station forecourt where someone pays by credit card, then throws the receipt in the bin as they pass it on the way back to the car."

          That's the customer's choice. The AA leaking data isn't. There's a difference.

        2. Lotaresco

          Re: Not comprimised?

          "I came on to say the same thing. The data in the leak was no different to what you find in the dustbins on every gas station forecourt where someone pays by credit card, then throws the receipt in the bin as they pass it on the way back to the car."

          Wrong. The paper slip does not show the start and expiry dates for your payment card nor does it reveal your AA user account and password.

  2. AlexGreyhead

    So does this mean I'll be needing to phone one of the first three emergency services to report that my credit card's being used courtesy of the fourth emergency service leaking my details?

    Oh well, at least if evil scammers have stolen all the money off my credit card, Mrs Greyhead won't be able to spend it all...

  3. JimmyPage Silver badge
    FAIL

    Pages rule of life ...

    *Anybody* can fuck up.

    So it's not the "fucking up" which defines an organisation, it's how they handle it subsequently.

    Which is why I have been happy to return to companies that have handled their fuck ups properly.

    1. Doctor Syntax Silver badge

      Re: Pages rule of life ...

      "companies that have handled their fuck ups properly."

      Do such things really exist?

      1. Anonymous Coward
        Anonymous Coward

        Re: Do such things really exist?

        Plenty ... Amazon and eBay in my 20-year experience for a start.

        And one who didn't ... Marks and Spencer. Where the customer assistance manager decided to argue over a broken button ("buttons aren't covered ...") on a 3 week old garment. The silliest thing is they lost my custom over nothing - as they said "we'd have to replace it under our 28-day pledge").

        That was 5 years ago, and I've not darkened their doors since.

        Also Nationwide ... but then you have to weigh the cost to yourself of a strop :) moving all accounts would be a *lot* of work, and end up spiting me. But they're off my Xmas card list.

        1. Doctor Syntax Silver badge

          Re: Do such things really exist?

          "Also Nationwide ... but then you have to weigh the cost to yourself of a strop :) moving all accounts would be a *lot* of work, and end up spiting me."

          I've done that twice - not with Nationwide because I've never been with them. If they give bad/negative customer service then don't stay as a customer.

        2. Anonymous Coward
          Anonymous Coward

          Re: Do such things really exist?

          Amazon - OK Yep,

          Ebay? Ebay's like a schizophrenic person who passes you to Paypal / and Paypal back to Ebay, a nightmare of a "company"* to deal with, when you have a fraudulent seller.

          *I'm referring to both companies here

    2. Anonymous Coward
      Anonymous Coward

      Re: Pages rule of life ...

      Yeah, anybody can fuck-up.

      But webserver configuration 101 is DON'T. EVER. put backups or anything else you don't want exposed in the server root, or anywhere else readable by the websever:

      '"The misconfiguration that allowed the backups to be viewed was probably something minor like 'browsable directories' that show you the files on a web server or a lapse HTAccess rule set that didn't make the files forbidden," De Vere told El Reg.'

      Even if you don't ever fuck up the configuration, putting them elsewhere is part of "defense in depth" against 0-days.

  4. tiggity Silver badge

    Last 4 digits still an issue

    Even if we believe they only retained the last 4 digits and not the whole CC number (hard to believe much they say with the weasely behaviour so far), all you need is another breach froom another site where in this case first 4 CC digits stored and you are well on your way to stitching together CC number guesses (esp when you know the Lune algorithm helps you cut down options)

  5. Anonymous Coward
    Anonymous Coward

    "the discovery of 13GB of publicly exposed backup files. It seems that a server misconfiguration was responsible for the information being openly available on the web for a few days in April."

    NO, the absolutely insane practice of having anything to do with the database stored on the webserver in the first place was mainly to blame.

    Its 2017 and people are still running all their services on the web-facing server FFS. If the database backups were on the webserver then I assume so is the database - and so will the hackers.

    PS - am an AA customer and have heard ZERO from them about this.

  6. Dwarf

    GDPR

    Can't come quickly enough.

    Unless companies feel some pain when they fail to manage our personal data properly, they will continue to be laid back about things.

    I might only be a row in a database to you, but my personal data is valuable to me - hence the word personal. For example when the bad guys run off with all our cash, it might stop us putting food on the table whilst we sort out your mess.

    Customer service is the whole thing - treat us well and give good service and we might come back. Don't give a damn - well there's a good chance that we won't either.

  7. Roopee Bronze badge
    Thumb Down

    Not what it used to be

    The AA ceased to be a 'service' for 'members' many years ago, around 1990 if I remember correctly. It is purely and simply a finance house and insurance compny, with all the negative connotations that that implies.

  8. Bob Hoskins

    Why the pic of

    the Paul Walker death car?

  9. Anonymous Coward
    Anonymous Coward

    I bet there are some furious people out there wondering where their gosh damn free credit monitoring is right now.

    That'll make people happy and show the AA is doing something.

    As a side note what happens if you have lost data in multiple breaches? How much monitoring can one person have?

  10. Doctor Syntax Silver badge

    Prompt disclosure to be mandated by the GDPR isn't just some piece of arbitrary red tape. It's because it's a Good Thing. The fact that it's the best part of a year from becoming mandatory doesn't make it less of a Good Thing right not. It's not yet being mandatory in no way excuses the AA from acting properly.

  11. gypsythief

    What planet is the Data Protection Act from?!?!

    "Medical data, information on sexual preference or trade union membership are defined as sensitive information under the current Data Protection Act but this characterisation doesn't apply to credit card info and the like."

    I'm mildly asthmatic, have an odd rash on my right leg, am heterosexual, and not a member of any trade unions. There.

    Now, my credit card info? Bog right off!

    1. edge_e
      WTF?

      Re: What planet is the Data Protection Act from?!?!

      As a non-unionised heterosexual who, from what you've disclosed, doesn't have aids, you've probably nothing to worry about. Unfortunately there are still people in the world who will stigmatise those who fall into those catagories. As for your credit card number, it may cause you a headache for a short period of time while you wait for a new one.

  12. gypsythief

    Okay, figured it out.

    "Medical data, information on sexual preference or trade union membership are defined as sensitive information under the current Data Protection Act but this characterisation doesn't apply to credit card info and the like."

    The law was made by politicians. They all have herpes*, like choir boys*, and (although not quite a trade union), are members of the Masons, or Knights Templars, or some such*. None of which they want public.

    The credit card they used to subscribe to that porn channel on Sky though? Well, that was a work one, paid for by the public. Who cares if the numbers for that leak!

    *allegedly

  13. Aqua Marina

    Electoral register

    The electoral register contains just as much personally identifiable data as this leak, but I'd be interested to know how many reg pro-privacy-commenters have actually followed the steps to remove themselves from it.

    https://ico.org.uk/for-the-public/electoral-register/

    If you take the steps to remove yourself from the open register now, all subsequent years registrations will still remain published and in third party hands, so you're not really removing yourself from it, just not keeping it up to date. Unless you move house to a different area, in which case you'll be automatically opted back in, until you notice and opt out.

    1. Doctor Syntax Silver badge

      Re: Electoral register

      "The electoral register contains just as much personally identifiable data as this leak"

      The electoral register contains partial credit card information and a list of what you've bought from the AA? I never knew that.

      1. Aqua Marina

        Re: Electoral register

        The clue was in the sentence "contains just as much personally identifiable data".

        E.g. Name, address, nationality, DOB, national insurance number, telephone number, previous addresses, email address and signature. Everything your average identity thief needs.

        The last 4 digits of a credit card isn't particularly personally identifiable data.

  14. ~chrisw

    A shame they didn't fess to this earlier. Crims will have gone for the data and no doubt will now be using it to build up better profiles of customers, including verifying active credit cards. Poor show.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like