🔒breach.co.nz · the NZ & Australia breach register 🛡️ A Govern service
Register › 🇳🇿 NZ › Other
Advertising
Your brand, in front of the right people
Run-of-site leaderboard — every ad-supported page across the register.
Enquire → breach@govern.co.nz

AA Traveller

🇳🇿 New Zealand · AA Traveller (New Zealand Automobile Association) · Record NZ-2021-0088
○ Reported — awaiting official confirmation
Reported — awaiting official confirmation. The facts below are drawn from the organisation's own disclosure and credible reporting. Figures are as reported; unknowns are labelled, not estimated by us.
People affected
Not disclosed
Breach date
2021-08
Regulator
NZ Office of the Privacy Commissioner (notified)
Trust tier
B · Reported

Data exposed

Names, addresses and contact details (phone/email) Company-confirmed
For older records, expired credit-card numbers held on a legacy system Media-reported

Confidence: Confirmed = regulator/court · Company-confirmed = the organisation's own disclosure · Media-reported = press. Figures without an official source are labelled, not estimated.

What happened

In May 2022 AA Traveller, the travel and tourism arm of the New Zealand Automobile Association, apologised after disclosing a data breach on one of its websites [aat-rnz1], [aat-rnz2]. The affected system was an old, no-longer-used platform holding customer records spanning roughly 2003 to 2018 [aat-rnz1]. AA Traveller said the exposed information included names, addresses and contact details, and — for older records — expired credit-card numbers [aat-rnz1], [aat-reseller].

Timeline

  • 2021-08 — Unauthorised access reportedly occurred around August 2021 [aat-rnz1].
  • 2022-03 — AA Traveller says it discovered the breach [aat-rnz1].
  • 2022-05 — Public announcement (11 May); the Office of the Privacy Commissioner was notified and commented publicly [aat-rnz1], [aat-rnz2].

Current status

Disclosed. AA Traveller ran its own forensic investigation and notified the NZ Office of the Privacy Commissioner [aat-rnz1]. Media reported the breach as affecting “hundreds of thousands” of customers, but no official figure was published; that scale and the expired-card detail come from AA’s own disclosure as reported by RNZ, and no count is asserted here [aat-rnz1].

Why it matters

Data held on legacy systems that an organisation no longer actively uses is easy to forget and hard to secure — and here it still contained enough identity and (expired) card information to warrant a public apology and a regulator notification years later.

GGOVERN Tabletop Exercises · Govern house Strengthen your cyber resilience — rehearse the decisions that matter. Book a Discovery Call →