Taking it seriously
From the Beeb report linked in the article:
AA president Edmund King said it first learned about the problem with data used for its online shop on 22 April. Soon after discovery, the firm that runs the shop on the AA's behalf was told about the problem.
"They identified the vulnerability and the issue was resolved on 25 April," he said.
The AA said it investigated, sampled the data and, because it was not sensitive and only accessed a few times, ended the investigation.
"We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," said Mr King.
So it took 3 days to rectify after discovery (how long was it exposed before then?) and because it only contained names, email addresses and incomplete credit card information they closed the investigation. I wonder just how casual they might have been if they didn't take data issues incredibly seriously.