AA Traveller says a data breach has affected hundreds of thousands of customers.
Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018.
AA travel and tourism general manager Greg Leighton says the data was taken in August last year and AA Traveller found out in March.
He says a lot of the data was not needed anymore, so it should have been deleted, and the breach "could have been prevented".
"You should be able to give your data and for that to be secure. We understand that and respect that and are incredibly sorry."
Leighton says cybersecurity experts reviewed the breach and "interpreted that the vulnerability definitely was there" and "there was some data that was extracted from the server".
He says the site was then secured "to ensure there's no further risk or vulnerability to individuals concerned".
AA Traveller is contacting all affected customers this week.
The association also identified in 2010 that nearly 30,000 people who took an online AA Travel New Zealand survey were at risk of being hacked by an overseas account.
Users were all sent an email informing them and telling them to change their password.
"These characters [hackers] are always looking for access points. It's just one of those things that occur. And it's very frustrating.
"But we should not have this happen. We're constantly looking at our security settings. We've certainly learned a great deal from this."
The AA is now checking technology for "vulnerabilities" and ensuring data "is basically eliminated, where it's no longer required".
Leighton says it's unclear where the hackers were based.
AA Traveller is working with the Office of the Privacy Commissioner.