Multicard leaks data online in privacy breach: OAIC

Summary:The Office of the Australian Information Commission has found that Multicard failed to take reasonable steps to ensure that 9,000 applicant details would not be publicly exposed online.

Identification card solutions provider, Multicard, has been found to have leaked the personal information of approximately 9,000 maritime security identity card (MSIC) applicants online.

The Office of the Australian Information Commission (OAIC) found that Multicard stored personal information on a publicly accessible web server without appropriate security controls to prevent unauthorised access.

The personal information was discoverable via Google search over a four month period. As a result, at least one unidentified unauthorised third party accessed and downloaded the information.

Australian Privacy Commissioner Timothy Pilgrim said Multicard failed to take reasonable steps to ensure the security of the personal information it held.

"The OAIC’s investigation found that Multicard failed to implement a number of basic security measures which resulted in a large amount of personal information being exposed. This was a data breach that could have easily been avoided," he said.

OAIC was initially informed about the data breach in January 2014 by the Office of Transport Security. It resulted in personal information, including first and last names, dates of birth, addresses, partial credit card numbers and expiry dates, and photographs being made publicly accessible online.

"I urge all organisations to carefully consider what security safeguards they have in place to protect the personal information they hold," Pilgrim. "It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed."

However, the Commissioner found that Multicard acted appropriately to contain the data breach by immediately disabling its website and restricting access. Since the data breach, Multicard has appointed an independent auditor and taken a number of steps to improve its information security.

A similar data breach occurred in March where Telstra copped a AU$10,000 fine for inadvertently leaking 15,775 customer details online.

Topics: Security, Australia

About

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.