What happened
In May 2022 AA Traveller, the travel and tourism arm of the New Zealand Automobile Association, apologised after disclosing a data breach on one of its websites [aat-rnz1], [aat-rnz2]. The affected system was an old, no-longer-used platform holding customer records spanning roughly 2003 to 2018 [aat-rnz1]. AA Traveller said the exposed information included names, addresses and contact details, and — for older records — expired credit-card numbers [aat-rnz1], [aat-reseller].
Timeline
- 2021-08 — Unauthorised access reportedly occurred around August 2021 [aat-rnz1].
- 2022-03 — AA Traveller says it discovered the breach [aat-rnz1].
- 2022-05 — Public announcement (11 May); the Office of the Privacy Commissioner was notified and commented publicly [aat-rnz1], [aat-rnz2].
Current status
Disclosed. AA Traveller ran its own forensic investigation and notified the NZ Office of the Privacy Commissioner [aat-rnz1]. Media reported the breach as affecting “hundreds of thousands” of customers, but no official figure was published; that scale and the expired-card detail come from AA’s own disclosure as reported by RNZ, and no count is asserted here [aat-rnz1].
Why it matters
Data held on legacy systems that an organisation no longer actively uses is easy to forget and hard to secure — and here it still contained enough identity and (expired) card information to warrant a public apology and a regulator notification years later.