AAA Driver Training School Data Breach Exposes Personal Information of Over 25,000 Individuals
Shamis & Gentile P.A., a class action law firm specializing in data breach cases, is investigating a cybersecurity incident involving AAA Driver Training School, Inc., a driver education provider affiliated with AAA Northeast. The breach, discovered in late December 2025, stemmed from unauthorized third-party access to systems managed by the school’s software vendor.
The vendor acted to terminate the unauthorized access and secure the affected systems. By January 2026, the exposed data was identified, revealing that 25,247 individuals in Massachusetts had their sensitive information compromised. The breach was limited to AAA Northeast’s territory and did not affect other AAA Northeast data or payment card information.
The incident was officially reported to the Massachusetts Office of Consumer Affairs and Business Regulation on March 5, 2026. Exposed data included driver’s licenses, contact information, dates of birth, driver permit/license numbers, and student names.
Legal representatives are now reviewing potential claims for affected individuals. The breach highlights vulnerabilities in third-party vendor security within the driver education sector.
Source: https://www.claimdepot.com/investigations/aaa-driver-training-school-data-breach-2026
AAA Northeast cybersecurity rating report: https://www.rankiteo.com/company/aaanortheast
AAA Northeast cybersecurity rating report: https://www.rankiteo.com/company/aaa-northeast
"id": "AAAAAA1772749856",
"linkid": "aaanortheast, aaa-northeast",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '25,247 individuals',
'industry': 'Education',
'location': 'Massachusetts, USA',
'name': 'AAA Driver Training School, Inc.',
'type': 'Driver education provider'}],
'attack_vector': 'Third-party vendor compromise',
'data_breach': {'number_of_records_exposed': '25,247',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': ['Driver’s licenses',
'Contact information',
'Dates of birth',
'Driver permit/license numbers',
'Student names']},
'date_detected': '2025-12-01',
'date_publicly_disclosed': '2026-03-05',
'description': 'Shamis & Gentile P.A., a class action law firm specializing '
'in data breach cases, is investigating a cybersecurity '
'incident involving AAA Driver Training School, Inc., a driver '
'education provider affiliated with AAA Northeast. The breach, '
'discovered in late December 2025, stemmed from unauthorized '
'third-party access to systems managed by the school’s '
'software vendor. The vendor acted to terminate the '
'unauthorized access and secure the affected systems. By '
'January 2026, the exposed data was identified, revealing that '
'25,247 individuals in Massachusetts had their sensitive '
'information compromised. The breach was limited to AAA '
'Northeast’s territory and did not affect other AAA Northeast '
'data or payment card information. The incident was officially '
'reported to the Massachusetts Office of Consumer Affairs and '
'Business Regulation on March 5, 2026. Exposed data included '
'driver’s licenses, contact information, dates of birth, '
'driver permit/license numbers, and student names.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to AAA '
'Northeast and AAA Driver Training '
'School',
'data_compromised': 'Personal information of 25,247 individuals',
'identity_theft_risk': 'High (exposure of driver’s licenses, dates '
'of birth, and permit/license numbers)',
'legal_liabilities': 'Potential class action lawsuits',
'payment_information_risk': 'None (payment card information not '
'affected)',
'systems_affected': 'Vendor-managed systems of AAA Driver Training '
'School'},
'initial_access_broker': {'entry_point': 'Third-party vendor systems'},
'investigation_status': 'Under investigation by Shamis & Gentile P.A.',
'lessons_learned': 'Highlights vulnerabilities in third-party vendor security '
'within the driver education sector',
'post_incident_analysis': {'root_causes': 'Third-party vendor security '
'vulnerability'},
'references': [{'source': 'Shamis & Gentile P.A.'}],
'regulatory_compliance': {'legal_actions': 'Potential class action lawsuits '
'under review',
'regulatory_notifications': 'Reported to '
'Massachusetts Office '
'of Consumer Affairs '
'and Business '
'Regulation'},
'response': {'communication_strategy': 'Reported to Massachusetts Office of '
'Consumer Affairs and Business '
'Regulation',
'containment_measures': 'Unauthorized access terminated',
'remediation_measures': 'Systems secured by vendor',
'third_party_assistance': 'Vendor acted to terminate '
'unauthorized access and secure '
'systems'},
'threat_actor': 'Unauthorized third-party',
'title': 'AAA Driver Training School Data Breach Exposes Personal Information '
'of Over 25,000 Individuals',
'type': 'Data Breach'}