Wednesday, 11 May 2022

AA Traveller apologises after huge data breach

    1. Business

    Photo: Getty Images
    Photo: Getty Images

    AA Traveller says a data breach has affected hundreds of thousands of customers.

    Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018.

    AA travel and tourism general manager Greg Leighton said the data was taken in August last year and AA Traveller found out in March.

    He said a lot of the data was not needed anymore, so it should have been deleted, and the breach "could have been prevented".

    "You should be able to give your data and for that to be secure. We understand that and respect that and are incredibly sorry."

    Leighton said cybersecurity experts reviewed the breach and "interpreted that the vulnerability definitely was there" and "there was some data that was extracted from the server".

    He said the site was then secured "to ensure there's no further risk or vulnerability to individuals concerned".

    AA Traveller is contacting all affected customers this week.

    The association also identified in 2010 that nearly 30,000 people who took an online AA Travel New Zealand survey were at risk of being hacked by an overseas account.

    Users were all sent an email informing them and telling them to change their password.

    Leighton said today: "These characters [hackers] are always looking for access points. It's just one of those things that occur. And it's very frustrating.

    "But we should not have this happen. We're constantly looking at our security settings. We've certainly learned a great deal from this."

    The AA is now checking technology for "vulnerabilities" and ensuring data "is basically eliminated, where it's no longer required".

    Leighton said it was unclear where the hackers were based.

    Acting Privacy Commissioner Liz Macpherson told RNZ's Midday Report today that if data was not needed it should be deleted.

    The key lesson was for companies to minimise the data collected as it did not take much information for someone to manufacture an identity.

    The leading cause for data breaches was still human error, she said, and companies needed a review policy in place to determine if the data stored was necessary, or could be deleted.

    RNZ