Quite simply: someone in AA's security team issued a revocation of their SSL certificate. (The mechanism that allows you to communicate with the site "securely".) This can be for a number of reasons, up to and including them believing someone obtained a copy of their private certificate. With public key cryptography, even the suspicion that your private certificate may have been exposed will require companies on the ball to immediately revoke the certificate and obtain a new one.

A copy of your certificate in the wild means an attacker would be able to spoof aa.com and you would not know you weren't at the legitimate site.

Keep in mind that the issue may not have necessarily been due to a malicious or nefarious incident, someone at AA themselves may have inadvertently exposed the private key (it happens).

Some background reading, for those that may be interested: https://www.globalsign.com/en/ssl-in...l-certificate/
A great post that explains how public/private key cryptography works: https://blog.vrypan.net/2013/08/28/p...for-non-geeks/

The bottom line: an incident like this is painful for a company, but the alternative is much worse. It's entirely possible we may never know what led to them revoking their cert.