Reports have surfaced of a data breach in April this year in the website shop of motoring / breakdown company the AA which left a large (13 gigabyte) cache of data, including personal customer data viewable online for several days.

What Happened?

Security researcher Scott Helme from ‘Motherboard’, and Troy Hunt of website ‘Have I Been Pwned’ reportedly discovered that a breach in the AA website meant that, what the AA blamed on a server “misconfiguration” actually meant that a huge file, allegedly containing addresses, names and parts of payment card numbers was left exposed online.

Mr Hunt and Mr Helme reported finding 117,000 unique email addresses in the exposed file along with names, net addresses, credit card types, expiry dates and the final four digits of the card.

Motherboard and ‘Have I Been Pwned’ subscribers / victims whose information was included in the exposed database were contacted to verify if the details were genuine and accurate, which they were reportedly found to be.

The AA Said…

AA president Edmund King is reported to have said that they first learned about the problem on 22 April. Soon after discovery, the firm that runs the shop on the AA’s behalf was told about the problem, and the vulnerability and the issue was resolved on 25 April. The AA has also reportedly said that, even though the database file was exposed, no (customer) payment details were compromised.

The AA Have Done…

Reports indicate that the AA have stated that they take data security very seriously, opened an independent inquiry into the issue, informed the UK’s data watchdog, the ICO, and issued legal letters warning against a dissemination breach under the ‘Computer Misuse Act’.

Criticism

The reported criticism of those who discovered and made the details of the breach public appear to focus of accusations that the AA may have not informed of all of the affected customers about the existence and the seriousness of the breach, and may in effect have kept quiet about it until others made it public.

What Does This Mean For Your Business?

This is another example, in what appears to be a long line of customer data breaches, involving high profile, well-known companies. This story is a reminder that, particularly with GDPR coming into force next year, companies need to be very familiar with, and to ensure that they comply with data protection regulations, and to realise that they are obliged by law to keep people’s personal information safe and secure.

Companies need to be as transparent as possible to customers about data breaches, and to inform them when data is exposed, rather than trying to keep quiet.

Businesses can help themselves and their customers avoid heartache by making sure that web and data security are issues that are prioritised, practices and systems are regularly reviewed and assessed for risk to make sure they are effective, compliant, and up to date, and that Disaster Recovery Plans are in place.

After a decade of campaigning by EU citizens and after 2 years of preparing the mobile networks for the change, The European Commission has announced that there will be no more EU roaming charges.

What Does This Mean?

The abolition of roaming charges applies to calls, texts and browsing the internet, and this means that citizens who travel within the 28 countries of the EU will be able to call, text and connect on their mobile devices at the same price as they pay at home.

Balance

Statements from the EU have focused on what a valuable achievement the agreement between mobile network operators and EU countries is in terms of its contribution to the idea of the EU’s Digital Single Market and accessibility for all citizens.

Other statements have focused on the balance that has been needed to strike the deal with the mobile phone networks. This means offering customers a better deal and maintaining profitability of mobile networks, and many people have taken this to mean the mobile networks could make up the charges lost in roaming fees in other ways e.g. increasing domestic phone tariffs and charges.

Are There Any Caveats And Exceptions?

Yes. Although, as the EU statements say that roaming charges have been abolished for travellers in the EU, there are some important caveats, exceptions and anomalies. These are:

• Exceeding your agreed minutes, texts and data allowances are still chargeable in the in the EU, just as they are in the UK.
  The fair use clause still applies to data roaming. This means that even though you can make as many calls and send as many texts as you like at domestic prices, if your roaming data use exceeds “a reasonably high volume” at domestic rates, you may have to pay a surcharge of approximately £8.30 per gigabyte (inc VAT).
• If you spend more time abroad than at home and consequently use your mobile more abroad than at home, you may still receive roaming charges. This is a result of a clause that was designed to dissuade people from taking out a contract in a low-cost country e.g. Romania.
• Different providers include different countries in their roaming territories. Also, some countries are not automatically covered by the new rules e.g. Switzerland, Monaco, Andorra, some Eastern European nations, the Channel Islands and the Isle of Man.
  Roaming charges will still apply when you are on board European ferries or cruise ships in the Mediterranean, the Baltic and across the English Channel. This is because you are between EU ports and are using a satellite link to the ship.
• Calling another EU country from the UK will still incur extra charges.
• Calls to any EU country are now cheaper as long as you make them from any EU country that isn’t the UK.
• Three non-EU countries in the European economic area have not yet introduced ‘Roam Like at Home’ charges, but have said that they may do so a short time after 15th June. These are Iceland, Norway and Liechtenstein.

What Does This Mean For Your Business?

For business people who are frequent overseas travellers, and for UK citizens who plan to use their mobile while on holiday abroad, this announcement is good news. There is still a rational suspicion that the mobile operators will make their lost roaming charges back somehow e.g. with higher tariffs and extra charges.

Brexit could, however, mean that the UK may lose its right to freedom from roaming charges. Some commentators believe that the UK could avoid this by negotiating equivalent measures, and / or that the mobile networks will introduce some lesser charges.

Legally, the UK government could decide whether EU price restrictions on roaming apply after Brexit because EU price restrictions on roaming or not after the UK leaves the EU are part of a regulation (not a directive), and, therefore, are not technically part of UK law. At this stage, it is unknown exactly how Brexit will affect the roaming charges issue going forward.