Did the AA have a minor breakdown?

There have been rumours of a potential data breach over at The AA UK, through a series of statements and replies observed on social media it was quiet worrying to build a jigsaw picture that displayed these such issues. As the week unfolded more and more seemingly connected events were observed. We first saw this publicly on a Twitter post from the one and only Troy Hunt, it appeared to be a conversation between AA UK and Scott Helme (A security researcher) disclosing an issue with backups on the AA website: 

So from the claim, it looks like someone found 13GB of exposed database backups, then informed them like the decent chap he was, The AA fixed this up and decided to keep it to themselves. But what exactly could the database backup be! Well their slogan is ‘Just AAsk‘ so we decided to do just that and the AA sent us a reply on Twitter:

 So they hint to the backups only containing “AA Shop & Retailers orders” the site in question is The AA’s retail wing – it sells the foreign travel packs and warning triangles and such. But being the company The AA is now, it also hosts applications for driving lessons, mortgages, savings accounts, loans and insurance. Their tweet explicitly states that “retailers orders rather than sensitive info” so if this database does contain sensitive data, this will be a blatant lie. 

The backup could have contained IP’s, Emails, Addresses, Orders and other personal details. This could have been hosted for the world to see for an unspecified period of time and this was a scenario they have failed to acknowledge, this is the exact scenario in which customers need to be made aware. The database could also just contain pictures of stickers and cars parts! But when confronted with the issue, wouldn’t it be easier to tell people this? They even had the option to disagree with our claim privately which would have saved us the time in writing this post! But they didn’t, they decided to shift the attention onto an embarrassing but harmless second incident.

Shortly after our email to the AA, someone messes up at HQ and sends out a customer wide email alert – by mistake. The email alert was informing customers of a password change. Here is where the bad got worse… thousands of people tried logging in to investigate this email and effectively created a small scale DoS situation. We asked again for clarity on the situation as this fiasco seemed to be unfolding as we were poking about, asking about the initial leak.

In an email from their press team to us they forwarded a brief, misleading statement:

The email was sent by the AA but in error. We are sorry for any confusion or concern we may have caused. I would like to reassure you that passwords were NOT been changed and personal data remains secure.

Hell, if they want to annoy their customers and DoS themselves, that is their right! but our concern was solely with the possibility of leaking databases. Our response was along the lines of “Can you try again, with reference to the 13gb of back up files discovered by a security researcher and then not mentioned by the AA…”

So it’s all happening over at the AA and the techies here will speculate at the connection between database issues and the fact they emailed their whole customer base a password reset ‘by mistake’. Some users claimed they did indeed change their password! The fact still remains, despite the circus act – their data was exposed and they haven’t notified their customers. The AA UK has refused to comment on the data leak and seem more inclined with pushing the fact they made a minor mishap with the email system.

We see this kind of tactic time and time again, i’ve written about it before and it’s important to let companies know that their customers have the right to discover what data was exposed and how they might be at risk – companies hide this in the attempt at glossing over negatives for a whole range of reasons and whilst this may protect them, it does nothing for their customers! To quote the blog written last year:

Your data breach is going to negatively effect your brand and subsequently your shareholders  if you mismanage it . You could try to bury the whole event and pretend it didn’t happen – this could work! But in modern times there are just so many ways in which it would come out. The odds of hiding a data breach are worse each year and if the media get hold of this and it’s evident to the ever growing tech-savvy public that you acted in this shady manner – simply watch your share price fall because you deserve it. You can minimise this fall by simply handling the event like professionals from the start.

If the AA would like to solve this mystery for us then we are all ears! If the contents of the database did not contain personally identifiable information then let us know directly as this un-needed secrecy is bad for PR and blog authors trying to piece together what happened.

Edit – 03/07/2017 14:25

The AA has since confirmed this blog post’s suspicions in a statement sent to us, whilst we feel this goes along way in explaining the situation it still tries to steer around the fact of leaking data… They state “samples of the data were analysed and as the data was not sensitive” but then why not simply explain what the data was? Again we have to push for them to reveal all the details when it could just be a case of being honest and transparent. If they told us it was pictures of cars totalling 13GB, we would accept that. But no they remain stubborn and misleading, claiming “our third party supplier informed us that the data was only accessed several times”

We can confirm that the AA was informed of a potential vulnerability involving some AA Shop data on 22nd April 2017.The AA Shop is run via a third party website supplier who was notified. They identified the vulnerability and the issue was resolved on the 25th April.The data related to AA Shop orders for items such as maps (some retailers and some personal customers). For a short period a misconfiguration in the server allowed access to two backup data files so a number of steps were taken to ensure the ongoing security of the AA Shop.

An investigation was undertaken, samples of the data were analysed and as the data was not sensitive, and our third party supplier informed us that the data was only accessed several times, the case was closed.

Legal letters warning against a dissemination breach under the ‘Computer Misuse Act’ will be issued. The ICO has been informed and we have commissioned a full independent investigation into the issue.

We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised. – The AA UK Press Office

Edit – 03/07/2017 15:09

They lied to several news organisations and misrepresented the issue yet again, claiming sensitive data had not been disclosed. Within minutes Vice released their article – with input from Scott Helme the previously unknown researcher. Claiming this was a lie and calling them out on the way they had handled the data breach. It is claimed 117 Thousand unique email addresses, hashed passwords and credit card information was part of the breach.

Edit – 03/07/2017 19:16

The AA are still claiming card data was not present, this false claim is quickly put to bed by Troy Hunt with the following tweet:

Some Important Tips

It is likely the site backups contained at least some personally identifiable data – why even have backups if it didn’t contain data? as we have seen in numerous breaches before this data could fall into the hands of nefarious people, it’s not all doom and gloom though! Here are a few simple steps to make sure you are one step ahead:

• Be on the lookout for phishing emails sent from attackers masquerading as the real AA.
• Never believe the sender of an email displayed in your client is a genuine representation of the email address it states. They can be spoofed easily.
• Beware of phone calls from attackers pretending to be from the AA, especially ones that ask about billing details. Always hang up and redial from a trusted number – like one from Google or your paperwork.
• Beware of scammers ‘confirming’ your card details, In the breach it is claimed the last 4 digits of cards were obtained. Fraudsters will exploit this by asking you “Can I just get you to confirm the full card details of the card ending in 9999”.
• If you’ve used the same password elsewhere, now is a good time to change this. It has been claimed hashed passwords were in the leak.

Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer Limited, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.