Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.
Further to the AA data breach that occurred on 22nd April 2017, there’s been further backlash as AA reportedly failed to notify customers of the breach.
The personal information that was breached related to customers of the AA’s online shop, operated by a third party, which sells maps, car accessories and other products to retailers and individuals.
Due to a server malfunction, personal data stored on two database backup files was accessible to the public.
The AA data breach saga arguably got worse when it transpired that AA failed to notify their 117,000 affected customers. Security researcher, Troy Hunt, posted a Twitter conversation between one of his contacts and the insurance company informing them of the data breach where over 13 GB of data was exposed.
The exposed data included names, email addresses, passwords, IP addresses and credit card information. The credit card information consisted of expiry dates, credit card types and the last four digits of the long card number.
It seems completely nonsensical for AA to suggest that ‘no sensitive information’ was compromised, when that’s clearly not the case.
In a Twitter response, AA stated:
“…this incident was related to the AA shop & retailers’ orders rather than sensitive info[.] It was rectified and taken seriously.”
The severity and seriousness is obviously debatable. Reportedly, AA didn’t even notify their customers of the breach when it happened, and secondly they tried to argue the breach didn’t involve sensitive information.
Their conduct is certainly questionable…
Although there isn’t always a legal obligation to notify customers of a data breach, the Information Commissioner’s Office (ICO) say it’s good practice for data controllers to report breaches resulting in loss, release, or corruption of personal data. For the most serious breaches, they must be brought to the attention of the ICO.
They ICO can assess whether the data breach is as a result of the data controller’s failure to adhere to rules set out in the Data Protection Act (DPA), and what responsibilities they have. Unfortunately, ‘serious breaches’ aren’t clearly defined in the ICO’s guidance notes, but their notes suggest breaches should be reported in circumstances as follows:
Mr Hunt contacted customers who found out their data was breached through the website Have I Been Pwned. They confirmed AA didn’t notify them of the breach.
Mr Hunt states:
“…at no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.”
The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.
EasyJet admits data of nine million hacked
British Airways data breach: How to claim up to £6,000 compensation
Are you owed £5,000 for the Virgin Media data breach?
Virgin Media faces £4.5 BILLION in compensation payouts
BA customers given final deadline to claim compensation for data breach
Shoppers slam Morrisons after loyalty points stolen
Half a million customers can sue BA over huge data breach
Lawyers accuse BA of 'swerving responsibility' for data breach
The biggest data breaches of 2020
Fill out our quick call back form below and we'll contact you when you're ready to talk to us.