Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018.
AA travel and tourism general manager Greg Leighton said the data was taken in August last year and AA Traveller found out in March.
He said a lot of the data was not needed anymore, so it should have been deleted before the breach.
"You should be able to give your data and for that to be secure. We understand that and respect that and are incredibly sorry."
Leighton said cybersecurity experts reviewed the breach and "interpreted that the vulnerability definitely was there" and "there was some data that was extracted from the server".
He said the site was then secured "to ensure there's no further risk or vulnerability to individuals concerned."
AA Traveller is contacting all affected customers this week.
The association also identified in 2010 that nearly 30,000 people who took an online AA Travel New Zealand survey were at risk of being hacked by an overseas account.
Users were all sent an email informing them and telling them to change their password.
Leighton said today: "These characters [hackers] are always looking for access points. It's just one of those things that occur. And it's very frustrating.
"But we should not have this happen. We're constantly looking at our security settings. We've certainly learned a great deal from this."
AA Traveller is working with the Office of the Privacy Commissioner.