AA Traveller Security Incident

Up until 2018, AA Traveller operated a commercial website that enabled customers to make travel bookings, enter competitions and take part in surveys. Unfortunately, a number of AA Traveller customers have had their personal information compromised in a security incident.

We have recently discovered that there was a vulnerability in the application where the AA Traveller website information was stored, and that an unauthorised party accessed information within the database used.

Since becoming aware of the issue, AA Traveller immediately moved to remedy the vulnerability and have been working with cyber security advisors to investigate this situation.

We sincerely apologise about this situation and any inconvenience it may be causing. The vulnerabilities have been addressed and the personal information on this system has been secured.

The AA Traveller website in question was not related to travel insurance, and we’d like to assure AA Travel Insurance customers that no travel insurance data has been compromised as part of this breach.

Please refer to the FAQs listed below for further information.

AA Traveller customers, and anyone with concerns or questions can reach out to [email protected] or 0800 500 050.

Frequently Asked Questions

What happened, and what has AA Traveller done in response?

Up until 2018, AA Traveller operated a commercial website that enabled customers to make travel bookings, enter competitions, take part in surveys and receive travel related newsletters.

AA Traveller customers who used this website may have had some of their personal information exposed through a security incident. This website was in use between 2003 and 2018.

Unfortunately we have recently discovered that there was a vulnerability in the application where the AA Traveller website information was stored and understand that an unauthorised party has accessed information within the database used. 

AA Traveller immediately moved to remedy the vulnerability and strengthen security once the issue was discovered. AA Traveller has engaged support from leading cyber security advisors, and is working on a detailed forensic investigation. The information on the data application has also been removed and safely secured. AA Traveller is no longer using the system that was compromised.

The Privacy Commissioner was notified as soon as practicable after AA Traveller became aware of the breach, and notification to individuals are being sent now after confirmation that appropriate measures are in place to adequately address security risks to other information.

How do I know if my personal information was involved in the breach?

AA Traveller have now contacted the majority of affected customers using an email address, postal address or phone number that was provided to them. If you haven’t received a communication then it is most likely that personally identifiable information for you has not been exposed in the breach.

As a precaution, we recommend that if you use the same password that you may have used for AA Traveller website across other websites, that you update your password on these sites. It is also a good idea to use a password manager to help you create long, strong and unique passwords and store these securely. The AA Traveller website this password was set up for is no longer in use, however you may be using that password across other sites.

You should also continue to be safe online by not responding to any emails or social media communications that you consider suspicious or calls from numbers you don’t recognise. You can check that the sender or caller is who they say they are by checking official company websites. For the AA and AA Traveller you can check this from the Contact Us page on our website.

There are some good resources available to you through Netsafe NZ and CERTNZ for more information on how to protect yourself online. 

You can report any suspected fraudulent activity to government cyber security watchdog, CERT NZ at www.cert.govt.nz

My personal information was involved in the breach, what should I do now?

Based on the information that was accessed as a part of this security incident, you can reduce the risk to yourself by remaining vigilant to phishing emails or scam communications from organisations claiming to be AA Traveller or a financial institution.

You should also continue to be safe online by not responding to any emails or social media communications that you consider suspicious or calls from numbers you don’t recognise. You can check that the sender or caller is who they say they are by checking official company websites. For the AA and AA Traveller you can check this from the Contact Us page on our website.

We will continue to keep customers that were affected updated if more information comes to hand.

If you have received a communication from AA Traveller and have a Reference ID relating to this (published top right corner of the email or letter), you can visit the AA Traveller customer portal to understand more about the personal information that was exposed and what to do next.

There are some good resources available to you through Netsafe NZ and CERTNZ for more information on how to protect yourself online. You can also use Scamwatch or haveibeenpwned.com that collate a wealth of scam information and provide alerting services to our community.

When and how did I supply this personal information to AA Traveller?

The information came from customers who may have answered travel surveys, made travel bookings, entered competitions, or who asked to receive travel newsletters.

In the majority of case, this information was provided to AA Traveller between 2003 and 2018.

When did AA Traveller become aware of the incident?

On 17 March 2022, we were alerted to a potential vulnerability in an application which contained AA Traveller website data. It was confirmed on 29 March 2022 that the application had been accessed by an unauthorised party in August 2021.

Since identifying the issue, AA Traveller has been working with cyber security advisors to investigate the situation.

Has the issue been fixed?

AA Traveller immediately moved to remedy the vulnerability and strengthen security. The information on the data application has also been removed and safely secured, and impacted customers alerted. AA Traveller is no longer using the system that was compromised.

Looking after AA Members’ and our customer’s data is extremely important to us, and we will continue to make every effort we can to maintain the security and safety of personal information that we hold.

Have you notified any regulatory bodies of this incident?

We are working with the Office of the Privacy Commissioner.

Who can we contact if we have further queries?

If you have further questions, you can call us on 0800 500 050 or email [email protected]

If you have received a communication from AA Traveller and have a Reference ID relating to this (published top right corner of the email or letter), you can visit the AA Traveller customer portal to understand more about the personal information that was accessed and what to do next.

We also recommend the resources available to you through Netsafe NZ and CERTNZ for more information on how to protect yourself online.

What should I do if I'm concerned about my MyAA account?

The AA Traveller website that was compromised was a separate commercial website, and is not connected to your MyAA account. However as a precaution we recommend that MyAA users update their password in case you use the same password across both sites.