Some of our customers' personal data, given to us when they shopped online at our AA shop, became insecure when one of our service providers made an error with its computer systems. We took immediate steps to correct this and then commissioned an investigation by external experts.
This is still ongoing, but we can now share the following information:
- We have emailed affected customers with more specific details.
- The data affected included names, addresses, phone numbers and email addresses.
- For some customers who shopped with us prior to October 2014 it will also have included partial payment card information.
- For customers who only shopped with us after October it will not have included any payment card information.
- We do not believe customers who only shopped with us after January 2017 have been affected at all.
- Some encrypted passwords were included in the data. Whilst we do not believe that customer accounts at our AA shop were accessed, we are reminding customers of industry advice that:
- they should consider changing their password if they used it on other sites
- if they are contacted by anyone asking for personal data or passwords, such as bank account details, they should always take steps to check the caller is who they say they are, and
- they should be alert for any unexpected emails, especially those that ask for personal or financial information, or request recipients to click on links or download information.
- This incident originated from third party systems outside our own network and did not affect main AA systems such as those processing insurance or membership information.
- Nonetheless, it is clear that our supplier's security safeguards in this instance fell short of the high standards that we and our customers rightly expect. We have notified the relevant authorities.
We know that our customers expect and trust us to keep their information safe and secure, and apologise wholeheartedly for what has happened.
We will continue to work hard in being vigilant in safe-guarding our customers’ data.
Edmund King OBE
7 July 2017