Information hacked from the AA customer database included email addresses and website passwords.
The AA says up to hundreds of thousands of customers had their personal information compromised following a hack in August that they only recently discovered.
The incorporated company said customers who could have been affected were those using aatravel.co.nz, a now mothballed website of its AA Traveler travel insurance and accommodation booking arm, between 2003 and 2018.
The website allowed customers to make travel reservations, enter contests, participate in surveys, and receive travel newsletters.
The AA said it was alerted to a vulnerability on March 17.
* We solved the spam problem, what about passwords?
* Why it’s important to have a backup plan for cybersecurity breaches
* New Zealand is at heightened risk of cyberattacks and pro-Russian hackers, CyberCX says
“AA Traveler has enlisted the support of leading cybersecurity advisors and is working on a detailed forensic investigation,” the company said in a statement.
“While elements of this are ongoing, unfortunately it became clear that there was unauthorized access by hackers to customer information in August last year.”
It always assesses the extent of the hack.
“There was a range of data revealed and it was different for different people who used the AA Traveler site.
“We don’t have a definitive number at this point, but the number of people in different subsets ranges from thousands to hundreds of thousands of people,” he said.
Kiwis are urged not to underestimate the risk of being hacked.
The information that was stolen includes records containing people’s names, email addresses, passwords they used to access the website, and addresses and phone numbers.
The AA sent an e-mail to the persons concerned.
He warns customers that if they have used the same passwords they used to access his website to also access other online services, then they must change those passwords on those other sites.
They should also be on the lookout for phishing emails or other fraudulent communications from organizations pretending to be AA Traveler or a financial institution, he said.
He had no information about the identity of the hackers or where they might be based.
AA Traveler general manager Greig Leighton said he was deeply sorry.
“We are extremely sorry this has happened and would like to apologize to everyone involved.
“We have made sure that the data we hold is now secure and obviously an attack like this is the very last thing we would want to see happen.”
Pete Bailey, head of cybersecurity at consultancy Theta, said it’s not uncommon for organizations to only find out they’ve been hacked months after an attack.
The kind of personal information the AA said had been compromised was valuable to hackers who could sell it on the “dark web”, he said.
Bailey said some cybercriminals are now using artificial intelligence tools to extract information from different sources and create personalized scam emails for potential victims, making them more likely to “click” on links. malicious.
It’s proven more effective for them than “old-fashioned general emails where it’s easy to guess what’s going on,” he said.
“The more data they can get about who people are and what they like, the better they can target those emails.”