Cyber Incident Victim: AA Traveller

The AA Traveller data breach involved unauthorized access to a customer database associated with the New Zealand-based travel website. AA Traveller disclosed that its website operated from 2003 until 2018, serving as a platform for travel bookings, competition entries, and survey participation. The organization publicly announced in 2022 that it had recently identified a security vulnerability within the application housing AA Traveller information. This vulnerability enabled an unauthorized third party to access data contained within the website's database. The breach timeframe coincided with the website's operational period concluding in 2018, though the exact intrusion date remained unspecified in public statements. No details regarding the vulnerability's technical nature or the attacker's identity were disclosed by the company.

Upon discovering the breach, AA Traveller issued a formal statement through its website to notify stakeholders about the incident. The organization confirmed that unauthorized access had occurred within their database infrastructure but did not specify when exactly the breach was detected relative to the 2018 website decommissioning. Public communications omitted critical details including the number of affected individuals, specific data types compromised, and whether financial or identity information was exposed. The company's disclosure occurred nearly four years after the website ceased operations, raising questions about the timeline between breach occurrence, vulnerability discovery, and public notification. No information was provided regarding containment measures, forensic investigations, or post-incident remediation efforts undertaken by the organization.