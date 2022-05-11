The AA says up to hundreds of thousands of customers have had personal information compromised as a result of a hack in August that it has only recently discovered.

The incorporated society said the customers who may have been affected were those who used aatravel.co.nz, a now mothballed website of its travel insurance and accommodation booking arm AA Traveller, between 2003 and 2018.

The website enabled customers to make travel bookings, enter competitions, take part in surveys and receive travel-related newsletters.

The AA said it was alerted to a vulnerability on March 17.

“AA Traveller has engaged support from leading cyber-security advisors, and is working on a detailed forensic investigation,” the society said in a statement.

“While elements of this are ongoing, unfortunately it has become clear that there was unauthorised access by hackers to customer information in August last year.”

It is still assessing the extent of the hack.

“There was a range of data revealed and it was different for different people who utilised the AA Traveller site.

“We don’t have a final number at this stage, but the number of people in different subsets ranges from thousands, to hundreds of thousands of people,” it said.

The information that has been stolen includes records containing people’s name, email address, the password they used to access the website, and their addresses and phone numbers.

The AA has been emailing those affected.

It is warning customers that if they used the same passwords that they used to access its website to also access other online services, then they should change those passwords on those other sites.

They should also be on the look-out for phishing emails or other scam communications from organisations claiming to be AA Traveller or a financial institution, it said.

It did not have any information on the identity of the hackers or where they might be based.

AA Traveller general manager Greig Leighton said it was deeply apologetic.

“We are incredibly sorry that this has happened, and would like to apologise to everyone concerned.

“We have ensured the data that we hold is now secure and obviously an attack like this is the very last thing that we would want to have happen.”

Supplied Cyber-security expert Peter Bailey said cyber-criminals were now using ‘AI’ to personalise phishing emails to potential victims, which was easier to do the more data they had.

Pete Bailey, head of cyber security at consultant Theta, said it was not uncommon for organisations to only find out they had been hacked months after an attack.

The kind of personal information that the AA believed had been compromised was valuable to hackers who could sell it on the ‘dark web’, he said.

Bailey said some cyber criminals were now using artificial intelligence tools to draw information from different sources and craft personalised scam emails to potential victims that made it more likely they would ‘click’ on malicious links.

That had proven more effective for them than the “old-style blanket emails where it is easy to guess what is going on”, he said.

“The more data they can get about who people are and what they like, the better they can target those emails.”