Talk about a hit and run: AA finally comes clean on security breakdown

Saturday 8th July 2017 07:38 GMT frank ly

So Sorry

https://www.youtube.com/watch?v=kJqziTVLNoo&ytbChannel=johann10000

3 1 Reply
Saturday 8th July 2017 08:30 GMT Anonymous Coward

Leaks & Lies

We shit-canned the old aging IT department over a weekend, and moved to a dirt cheap 3rd party. It was a Double-Win! We saved lots of $ and I got my big fat bonus. Now I can still blame the outsourced help.... In a word... Sweet!

21 1 Reply
Saturday 8th July 2017 08:59 GMT Your alien overlord - fear me

Bit like the WPP story earlier this week - poor management decisions leading to outsourcing/using 3rd party IT companies.

Companies must really start to pull their corporate fingers out, put an IT director on the board with at least the same status/power as the beancounter director.

10 1 Reply
1. Saturday 8th July 2017 15:59 GMT Anonymous Coward
  
  It's not necessarily a bad decision to outsource something peripheral to their main business, such as an online store. What's really wrong is picking an incompetent supplier, and even when you apologise for the failing to take responsibility for their cock-up.
  
  4 0 Reply
Saturday 8th July 2017 09:11 GMT The Infamous Grouse

I haven't used the AA in years but still had a legacy account, so to be safe I just changed my password this morning.

Had repeated rejections of the new password because "it must be at least 8 characters." I had started with 64 characters, then tried 32, 24. It finally accepted one when I got it down to 16 characters.

Arbitrary maximum password lengths are never a sign of good security practice. This is not looking promising at all.

15 0 Reply
1. Sunday 9th July 2017 23:12 GMT Adam 1
  
  It's also worth considering whether you used to reuse the same password on other services.
  
  A good opportunity to spend the hour or two resetting the password on those online accounts you only use every tenth of never with strong random passwords you store in a password manager (any of the top few password managers are fine). Use a strong password to unlock the password manager. Backup that password database frequently and depending on your threat model, decide whether to print out your password putting it out. One last thing, if you backup to the cloud, then have your cloud credentials somewhere else too because you'll need them to recover the password database.
  
  0 1 Reply
2. Tuesday 11th July 2017 01:03 GMT JCitizen
  
  Well...at least
  
  they didn't come out with that tired old axiom of "your security is very important to us". That statement is so cliched that I can't even take any company using that line as "serious" at all!!
  
  0 0 Reply
Saturday 8th July 2017 10:52 GMT Anonymous Coward

It would have been fixed sooner but it took them 4 hours to send someone out.

14 0 Reply
Saturday 8th July 2017 13:33 GMT Doctor Syntax

It might have taken a long time to sort out but it's completely inexcusable not to notify those possibly affected immediately.

8 0 Reply
Saturday 8th July 2017 13:38 GMT Anonymous Coward

Always simpler than you think

What you dont have (store) you cant lose or have stolen

2 1 Reply
1. Saturday 8th July 2017 14:32 GMT Flocke Kroes
  
  Re: Always simpler than you think
  
  13GB/120000 accounts > 100K each
  
  What other information do they keep about each customer?
  
  7 0 Reply
  1. Saturday 8th July 2017 19:46 GMT Pen-y-gors
    
    Re: Always simpler than you think
    
    13GB/120000 accounts > 100K each
    
    What other information do they keep about each customer?
    
    My first thought as well. 100K is a small book.
    
    1 0 Reply
    1. Monday 10th July 2017 11:02 GMT LewisRage
      
      Re: Always simpler than you think
      
      Might have been more than just a customer DB? Depending on the nature of the backup it could have other stuff in that isn't specific to customers.
      
      0 0 Reply
Saturday 8th July 2017 13:50 GMT Anonymous IV

"We're so sorry..."

"... Uncle Albert."

Allusion missed.

2 0 Reply
Saturday 8th July 2017 14:47 GMT John Brown (no body)

Useual first reaction...

As usual, first reaction, deny everything, second reaction, claim only a few people affected and anyway, nothing important was stolen.and then eventually, when it's no longer newsworthy in the mainstream media, admit that actually it was quite serious after all.

Name, address, card expiry date, last four digits of the card all associated with an AA account is more than enough to create almost perfect phishing emails.

8 0 Reply
Saturday 8th July 2017 16:13 GMT JimmyPage

GDPR (as of May 2018)

would see these clowns having to recompense each affected customer.

Maybe *then* we'll see some serious data protection.

Incidentally, I had to sign up to HMRC online yesterday. I was impressed. True 2FA, via 2 channels - text or phone call. The only criticism I have is the "3rd way" to get 2FA was "to install the HMRC app".

I can't begin to describe how fucking sick and fucking tired I am of "just install our app" - especially when I have 3 2FA code generating apps on my phone already.

Surely HMRC could have used Google Authenticator ?

1 3 Reply
1. Saturday 8th July 2017 20:55 GMT Dan 55
  
  Re: GDPR (as of May 2018)
  
  Far better any RFC-based OTP solution. You could then use HMRC's app or an open source one.
  
  But the less Google the better.
  
  (I didn't downvote.)
  
  6 0 Reply
2. Sunday 9th July 2017 11:17 GMT deanb01
  
  Re: GDPR (as of May 2018)
  
  I use Microsoft Authenticator with HMRC online services. Pretty sure it works with Google Authenticator too; only use MS for Office 365.
  
  0 0 Reply
Saturday 8th July 2017 18:47 GMT Ken Moorhouse

Re: Surely HMRC could have used Google Authenticator ?

Everything was going fine and dandy, until this.

Do people really file stuff as important as this using their phones?

I think this is one of the compelling reasons for the continued usage of pc's located on terra firma.

3 1 Reply
1. Saturday 8th July 2017 19:17 GMT Ken Moorhouse
  
  Re: Surely HMRC could have used Google Authenticator ? 1 thumb down
  
  Aha. Have you really thought through what HMRC's response to you not filing forms in a timely fashion if you can't login due to a Google Authenticator [Third Party] issue would be?
  
  1 1 Reply
  1. Sunday 9th July 2017 12:04 GMT Anonymous Coward
    
    Re: Surely HMRC could have used Google Authenticator ? 1 thumb down
    
    Whilst the 2FA apps from Google and others appear to be (more) secure than just passwords, and are fine when working, doesn't the grief that ensues when the phone gets stolen / breaks / replaced make it not worth the serious hassle (as in locked out of your account type hassle)?
    
    1 0 Reply
Sunday 9th July 2017 02:40 GMT 4d3fect

AA

Hi, my name is Ford, and

--you already knew that?

2 0 Reply
Sunday 9th July 2017 06:26 GMT Pascal Monett

How much longer is it going to take ?

How much longer will we have to wait until CEOs stop with the stonewalling, pretending and generally blundering blindly about the corridors of PR and just straight out admit there's been a problem ?

It's not like they can't see that, in the end, they always will, is it ? Or do we have a generation of PR people that have the same Pavlovian training and all have the same counsel : deny and wait ?

Kudos to AA for finally coming clean, but shame on you for trying to pull the same wool and utterly failing to do so efficiently.

Come on, CEOs ; we can accept that there are problems. Failures happen, mistakes are made. But we CANNOT accept being lied to and led through the dark. You published private data ? SAY SO.

It will be so much more impressive being the first one to actually do that, I think that in itself would be a worthy PR move.

2 0 Reply
1. Sunday 9th July 2017 14:29 GMT GrapeBunch
  
  Re: How much longer is it going to take ?
  
  "How much longer will we have to wait until CEOs ..."
  
  Until jail time. Or is it gaol time? And personal liability when the delay is flagrant. Say 200% of the CEO's compensation for a particular year. IANAHBIPOOTI.
  
  3 0 Reply
Monday 10th July 2017 07:52 GMT Anonymous Coward

I know it's Monday and I'm tired, but....

"We do not believe customers who only shopped with us after January 2017 to have been affected at all."

Does that mean customers after Jan 2017 ARE affected or NOT affected?

0 0 Reply
Monday 10th July 2017 08:36 GMT Arthur2sheds

Roll on 25 May 2018

Maybe GDPR will "refocus" organisations' response measures and code of conduct, blurring the line between legal obligations and moral responsibilities. Be upfront with data loss so that those potentially at 'high risk' (GDPR Article 34) can also take their own response measures to limit the impact.

I'm looking forward to the outrageous actions (which seems to be mis-direction, untruths, delaying tactics...) of such companies getting a huge administrative fine of up to €20,000,000 or 4% of their gross global turnover (of the preceding financial year). If we don't take such punitive measures the weekly reported breaches of personal information will become the norm and taken less seriously, whilst the consequences for us - users of such services - will increase substantially.

0 0 Reply