A 2017 knowledge breach at Flight Centre occurred when passport and credit rating card numbers for 6918 consumers were accidentally left in a dataset applied by the individuals of a hackathon.
Information of the breach are revealed in a perseverance by the Australian Facts Commissioner and Privateness Commissioner Angelene Falk that Flight Centre breached Australian privateness rules, together with by employing knowledge for applications other than the explanation it was at first gathered.
The breach was documented at the time but aspects were scarce, other than some knowledge was disclosed to “third-social gathering suppliers” in mistake.
It has now been revealed Flight Centre disclosed the knowledge via a “design jam” that ran over 3 days in March 2017 “to produce technological answers for vacation brokers to much better guidance consumers all through the product sales process”.
It was the initial time Flight Centre experienced operate this sort of an party, and individuals weren’t required to signal a non-disclosure agreement or any other paperwork to be a part of.
A total of 16 teams participated in the hackathon-like party, and were offered obtain to a dataset “for the 2015 and 2016 calendar many years that contains 106 million rows of data”.
“A file inside of the established contained 28 million rows of knowledge from the respondent’s quoting, invoicing and receipt system,” Falk wrote in a judgment.
“The knowledge file contained six,121,565 particular person consumer data. Information known to contain personal information were obfuscated, leaving what was believed to be only the customer’s 12 months of start, postcode, gender and scheduling information.”
Falk wrote that Flight Centre reviewed “a top rated one thousand row sample of each knowledge file inside of the dataset to ensure the knowledge did not contain any personal information.”
However, on the final working day of the “design jam”, an party participant observed credit rating card information in an “unstructured, absolutely free textual content industry in the data”, and notified Flight Centre.
On additional assessment, Flight Centre explained the industry “mistakenly incorporated aspects of 4011 credit rating cards and 5092 passport numbers for 6918 persons.”
“Additionally, 475 usernames and passwords (largely to vendor and provider portals) and 757 rows that contains customers’ date of start were disclosed,” the commissioner wrote.
The absolutely free textual content field’s official intent was for “employees to connect information about a booking”.
Despite interior insurance policies and schooling, “multiple vacation consultants applied the absolutely free textual content industry to document customers’ credit rating card information and passport numbers in the time period 1 January 2015 to 31 December 2016,” Falk wrote.
Furthermore, there were no IT controls in spot to recognise passport or credit rating card numbers getting extra to the industry.
“The storage of passport information and credit rating card aspects in a absolutely free textual content industry (in a method inconsistent with relevant insurance policies), and the absence of complex controls to protect against or detect this sort of incorrect storage, caused an inherent knowledge safety danger in terms of how this kind of personal information was secured by the respondent immediately prior to the knowledge breach,” the commissioner wrote.
6918 consumers impacted
Footnotes in the perseverance demonstrate that of the 6918 influenced persons, “there were 1012 … for whom [Flight Centre] experienced inadequate get in touch with aspects and was therefore not able to notify.”
The rest of the impacted consumers were notified on July 7 2017.
Flight Centre explained there was no proof the knowledge was misused. It confirmed with all individuals in the “design jam” that the knowledge was “destroyed”.
The enterprise explained it scanned its IT systems adhering to the incident “to discover and clear away any other cases of incorrect storage of credit rating card or passport information”, and experienced operate weekly scans considering the fact that.
It also created enhancements to its “systems and computer software to ensure credit rating card information and passport information are unable to be saved in absolutely free textual content knowledge fields” engaged “a 3rd social gathering danger intelligence professional to check social media and the dim world wide web, to figure out if the leaked knowledge or information relating to it was published” and up-to-date its privateness and knowledge managing insurance policies.
Flight Centre’s defence to the OAIC investigation incorporated that it did not “disclose” the personal knowledge to 3rd events, but fairly granted them obtain to a dataset it managed for minimal “use”.
Falk wrote in her perseverance that neither time period is defined in Australian privateness legislation.
However, she ruled Flight Centre’s mistake amounted to a disclosure of the knowledge.
The commissioner also located that the disclosure, while accidental, was for a “secondary purpose” – a hackathon – that sat outdoors the most important intent for which the knowledge experienced at first been gathered.
Flight Centre, nonetheless, “maintained that its privateness policy permitted the use of personal information for product or service enhancement applications as all consumers consented to this in the training course of transacting” with the enterprise.
However, Falk located “no proof … that indicates that persons expressly consented to the use or disclosure of their personal information for the product or service enhancement intent.”
“[Flight Centre’s] privateness policy … ‘bundled’ alongside one another information about a extensive vary of possible collections, works by using and disclosures of personal information, with out supplying consumers the opportunity to choose which collections, works by using and disclosures they agreed to and which they did not,” the commissioner wrote.
“Any purported consent was not voluntary, as the privateness policy did not provide persons with a real opportunity to choose which collections, works by using and disclosures they agreed to, and which they did not.”
Commissioner Falk explained that Flight Centre did not need to have to compensate the victims of the breach, although it experienced paid out out $sixty eight,500 in passport replacement costs, additionally an mysterious sum for credit rating checking products and services for these impacted.
The enterprise would also not suffer additional repercussions, with the commissioner expressing it experienced offered candid responses all over, and that it no more time ran the “design jam” activities.
The commissioner also took into account the affect of Covid-19 on Flight Centre’s business enterprise.