AA fails to notify their customers of data breach
aa data breach

Data Leak Lawyers - Begin Your Data Breach Claim Today!

Sign-up to a data breach claim today - use our quick and easy form to begin your claim for thousands of pounds in compensation.

Start Your Claim
Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy

solicitors regulation authority

AA fails to notify their customers of data breach

Further to the AA data breach that occurred on 22nd April 2017, there’s been further backlash as AA reportedly failed to notify customers of the breach.

The personal information that was breached related to customers of the AA’s online shop, operated by a third party, which sells maps, car accessories and other products to retailers and individuals.

Due to a server malfunction, personal data stored on two database backup files was accessible to the public.

The AA data breach saga arguably got worse when it transpired that AA failed to notify their 117,000 affected customers. Security researcher, Troy Hunt, posted a Twitter conversation between one of his contacts and the insurance company informing them of the data breach where over 13 GB of data was exposed.

The exposed data included names, email addresses, passwords, IP addresses and credit card information. The credit card information consisted of expiry dates, credit card types and the last four digits of the long card number.

It seems completely nonsensical for AA to suggest that ‘no sensitive information’ was compromised, when that’s clearly not the case.

Has the breach been taken seriously?

In a Twitter response, AA stated:

“…this incident was related to the AA shop & retailers’ orders rather than sensitive info[.] It was rectified and taken seriously.”

The severity and seriousness is obviously debatable. Reportedly, AA didn’t even notify their customers of the breach when it happened, and secondly they tried to argue the breach didn’t involve sensitive information.

Their conduct is certainly questionable…

Is there a legal obligation to report data breaches?

Although there isn’t always a legal obligation to notify customers of a data breach, the Information Commissioner’s Office (ICO) say it’s good practice for data controllers to report breaches resulting in loss, release, or corruption of personal data. For the most serious breaches, they must be brought to the attention of the ICO.

They ICO can assess whether the data breach is as a result of the data controller’s failure to adhere to rules set out in the Data Protection Act (DPA), and what responsibilities they have. Unfortunately, ‘serious breaches’ aren’t clearly defined in the ICO’s guidance notes, but their notes suggest breaches should be reported in circumstances as follows:

  • If there’s detriment to the customers (data subjects). Detriment can include: exposure to identity theft through the release of non-public identifiers e.g. passport numbers. Information that constitutes to a private aspect of someone’s life e.g. financial or medical circumstances.
  • The volume of personal data lost, released and/or corrupted. There’s a presumption that a large volume of data loss should be reported to the ICO, and where there’s a real risk the people involved would suffer harm. This is very subjective and each case will be assessed on its own merits.
  • The sensitivity of personal data lost, released and/or corrupted. There’s a presumption that, even where smaller amounts of personal data is breached, if the release of that data would cause substantial detriment, including substantial distress, this must be reported to the ICO. If there’s uncertainty on whether to report or not, there’s a presumption in favour of reporting it.

AA’s lax attitude

Mr Hunt contacted customers who found out their data was breached through the website Have I Been Pwned. They confirmed AA didn’t notify them of the breach.

Mr Hunt states:

“…at no point does their statement acknowledge the severity of the exposed data nor that they failed to notify customers when learning of the exposure.”

The content of this post/page was considered accurate at the time of the original posting and/or at the time of any posted revision. The content of this page may, therefore, be out of date. The information contained within this page does not constitute legal advice. Any reliance you place on the information contained within this page is done so at your own risk.

We offer genuine No Win, No Fee agreements for our clients. Why we do this is simple:

Leading Data Breach Lawyers
Our experience speaks for itself.
We will fight for your right to compensation.
Access to Justice
As a victim of a data breach or hack, you deserve your chance to get access to justice.
Risks Assessment
We carefully risk assess your case and take it on if we think we have a good chance of winning the claim.

Request A Callback From Our Team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy
Contact is © of Your Lawyers Limited - we are 'Authorised and Regulated by the Solicitors Regulation Authority (SRA number 508768)'
arrow-up icon