The Automobile Association (AA) — the UK’s largest motoring organization with over 15 million members — is being heavily criticized over its public handling of a major data incident that occurred in April. A server misconfiguration exposed personal details of more than 100,000 AA Shop customers; but its importance has been consistently downplayed by the organization. Affected customers were not informed.

The incident became public knowledge only last week when security researcher Troy Hunt tweeted that the AA had been notified “about 13GB of exposed DB backups”. The AA responded with what appears to be its first public confirmation, “This incident was related to the AA shop & retailers’ orders rather than sensitive info. It was rectified & we take this seriously.”