So Sorry
https://www.youtube.com/watch?v=kJqziTVLNoo&ytbChannel=johann10000
UK car insurance and driving school giant The AA has at last admitted it accidentally spilled its customers' personal information all over the web. In an astonishing U-turn, the motoring biz confessed on Friday that people's names, postal addresses, phone numbers, and email addresses were exposed to the internet – and, in some …
I haven't used the AA in years but still had a legacy account, so to be safe I just changed my password this morning.
Had repeated rejections of the new password because "it must be at least 8 characters." I had started with 64 characters, then tried 32, 24. It finally accepted one when I got it down to 16 characters.
Arbitrary maximum password lengths are never a sign of good security practice. This is not looking promising at all.
It's also worth considering whether you used to reuse the same password on other services.
A good opportunity to spend the hour or two resetting the password on those online accounts you only use every tenth of never with strong random passwords you store in a password manager (any of the top few password managers are fine). Use a strong password to unlock the password manager. Backup that password database frequently and depending on your threat model, decide whether to print out your password putting it out. One last thing, if you backup to the cloud, then have your cloud credentials somewhere else too because you'll need them to recover the password database.
As usual, first reaction, deny everything, second reaction, claim only a few people affected and anyway, nothing important was stolen.and then eventually, when it's no longer newsworthy in the mainstream media, admit that actually it was quite serious after all.
Name, address, card expiry date, last four digits of the card all associated with an AA account is more than enough to create almost perfect phishing emails.
would see these clowns having to recompense each affected customer.
Maybe *then* we'll see some serious data protection.
Incidentally, I had to sign up to HMRC online yesterday. I was impressed. True 2FA, via 2 channels - text or phone call. The only criticism I have is the "3rd way" to get 2FA was "to install the HMRC app".
I can't begin to describe how fucking sick and fucking tired I am of "just install our app" - especially when I have 3 2FA code generating apps on my phone already.
Surely HMRC could have used Google Authenticator ?
Whilst the 2FA apps from Google and others appear to be (more) secure than just passwords, and are fine when working, doesn't the grief that ensues when the phone gets stolen / breaks / replaced make it not worth the serious hassle (as in locked out of your account type hassle)?
How much longer will we have to wait until CEOs stop with the stonewalling, pretending and generally blundering blindly about the corridors of PR and just straight out admit there's been a problem ?
It's not like they can't see that, in the end, they always will, is it ? Or do we have a generation of PR people that have the same Pavlovian training and all have the same counsel : deny and wait ?
Kudos to AA for finally coming clean, but shame on you for trying to pull the same wool and utterly failing to do so efficiently.
Come on, CEOs ; we can accept that there are problems. Failures happen, mistakes are made. But we CANNOT accept being lied to and led through the dark. You published private data ? SAY SO.
It will be so much more impressive being the first one to actually do that, I think that in itself would be a worthy PR move.
Maybe GDPR will "refocus" organisations' response measures and code of conduct, blurring the line between legal obligations and moral responsibilities. Be upfront with data loss so that those potentially at 'high risk' (GDPR Article 34) can also take their own response measures to limit the impact.
I'm looking forward to the outrageous actions (which seems to be mis-direction, untruths, delaying tactics...) of such companies getting a huge administrative fine of up to €20,000,000 or 4% of their gross global turnover (of the preceding financial year). If we don't take such punitive measures the weekly reported breaches of personal information will become the norm and taken less seriously, whilst the consequences for us - users of such services - will increase substantially.