Auto Club Group (AAA)
A major AAA affiliate exposed member data—SSNs, driver's licenses, insurance policies, and vehicle information from millions of members.
What happened?
Auto Club Group, one of the largest AAA affiliates serving millions of members across multiple states, disclosed a data breach affecting member information. AAA isn't just roadside assistance—they're insurance companies, travel agencies, and financial services providers holding comprehensive member profiles.
What data was actually inside?
Social Security numbers, driver's license numbers, insurance policy details, vehicle information, and payment records. AAA collects identity documents for insurance underwriting, holds payment information for memberships and premiums, and tracks vehicle details for roadside assistance.
The combination of identity documents and vehicle information enables both identity theft and targeted physical crimes.
Who gets hurt and how?
AAA members who trusted one of America's most recognized brands with their personal information. They signed up for roadside assistance and insurance—services that require identity verification—and now their SSNs and driver's licenses are exposed.
Vehicle information combined with home addresses creates physical security risks. Insurance data enables fraud. Driver's licenses enable DMV fraud and identity theft.
What did they think they were doing right?
Auto Club Group is a major insurer, regulated by state insurance commissioners and operating under established compliance frameworks. They handle financial data for insurance and travel services. They've been trusted by American families for generations. The AAA brand carries expectations of reliability.
Brand trust doesn't equal security. Legacy organizations often have legacy systems with legacy vulnerabilities.
What did they not know about their own data?
Auto Club Group didn't know how their member data had accumulated across decades of service. Membership records, insurance policies, roadside assistance calls, travel bookings—each product adds more data. Multi-generational membership means family trees of data in their systems.
They knew they had member data. They didn't know how much was accessible until attackers demonstrated it.
What does attribution look like the morning after?
Notifications to members across multiple states. State insurance commissioner inquiries. State attorney general interest. Media coverage of a household-name brand failing to protect members. The breach affects trust built over a century of AAA service.
For membership organizations, trust is the product. Members pay dues expecting that their information is safe. Breaches break that fundamental bargain.
What would have changed the outcome?
Knowing where SSNs and driver's licenses live across all member systems.
If Auto Club Group had mapped their sensitive data—identity documents, payment records, vehicle information—across their entire member database, they could have prioritized protection. Decades of membership data means decades of accumulated liability. That liability requires comprehensive visibility.
Don't Learn What You Have From an Attacker
Auto Club Group didn't know what member data was at risk until the breach revealed it. Risk Finder shows you first.
Start Your Risk Assessment