AA Traveler apologizes after huge data breach

AA Traveler says a data breach affected hundreds of thousands of customers.

Hackers took names, addresses, contact details and expired credit card numbers from the AA Traveler website used between 2003 and 2018.

AA Travel and Tourism Managing Director Greg Leighton said the data was taken in August last year and AA Traveler discovered it in March.

He said much of the data was no longer needed, so it should have been deleted and the breach “could have been avoided”.

“You should be able to give your data and for it to be secure. We understand that and respect that and are incredibly sorry.”

Leighton said cybersecurity experts reviewed the breach and “interpreted that the vulnerability was definitely there” and “there was data that was pulled from the server.”

He said the site was then secured “to ensure that there is no further risk or vulnerability for those involved”.

AA Traveler is contacting all affected customers this week.

The association also identified in 2010 that nearly 30,000 people responding to an AA Travel New Zealand online survey were at risk of being hacked by a foreign account.

The users all received an e-mail informing them and asking them to change their password.

Leighton said today: “These characters [hackers] are still looking for access points. It’s just one of those things that happens. And it’s very frustrating.

“But we shouldn’t let that happen. We’re constantly reviewing our security settings. We’ve certainly learned a lot from that.”

The AA now checks the technology for “vulnerabilities” and ensures that the data “is virtually eliminated, where it is no longer needed”.

Leighton said it was unclear where the pirates were based.

Acting Privacy Commissioner Liz Macpherson told RNZ noon report today that if data was not needed, it should be deleted.

The key lesson was that companies minimize the data collected because it didn’t take much information for someone to fabricate an identity.

The top cause of data breaches was still human error, she said, and companies needed a review policy in place to determine whether stored data was necessary or could be deleted.

About Janet Young

Check Also

IATA publishes passenger data for September

The International Air Transport Association (IATA) has announced passenger data for September 2022, showing that …