General Data Protection Regulation

AA Security Breach Highlights Need For GDPR Compliance

A recent security breach at the British Automobile Association (AA) has highlighted the growing need for stringent data security  as well as the need to be compliant with the new European Union General Data Protection Regulations that come into force on May 25 2018.

Last week it was highlighted by Motherboard that the there had been a security breach at the British Automobile Association when a misconfigured server led to the exposure of over 13 gigabytes of transaction data on the AA shop. This included a large database that had the information of over 100,000 AA customers. Motherboard were made aware of the leak when they were emailed a sample of the leaked data that include email addresses, IP addresses, names and credit card details.

Originally, following an internal investigation the British Automobile Association deemed that the leaky data was not sensitive which means that it did not feel it necessary to notify its customers. However, it has since acknowledged the branch and its seriousness:

“We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017,” the AA said in a statement after being approached by Motherboard, adding that the issue was fixed on 25th April.

Worryingly, the data that was sent to Motherboard contained 117,000 email addresses as well as lots of other information including the last four digits of the credit card and its expiry date. Talking to SC Media UK, Ilia Kolochenko, CEO of High-Tech Bridge  said that:

“We should be prepared that the entire 100k database is breached and will be for sale on the Dark Web soon. Allegations about the deliberate concealment of the data breach by the AA seem to be highly unlikely for the moment. We can probably speak about a negligent, and thus incomplete, investigation, but nothing more so far.”

However other industry experts and commentators have not been so forgiving. Ross Brewer, vice president and managing director of EMEA at LogRhythm, was less forgiving. He told SC Media UK, “When organisations detect a breach, it should be their first priority to inform all affected customers and take steps to ensure the continued protection of any exposed data. If they don’t, then personal data can be left in the open for longer than it should be. It only takes one hacker to be in the right place at the right time to cause very real damage.”

Come May 2018 however, organisations that suffer a data breach will be subject the the heavy fines of the new European Union General Data Protection Regulations. Under this, failure to notify about a data security breach could see companies fined up to €10 million or two percent of global turnover.

Add comment