OAIC finds Flight Centre breached privacy of almost 7,000 customers in 2017

Handing over production data on six million customers and a bad obfuscation process was always going to lead to a bad outcome.
Written by Chris Duckett, Contributor

The Australian Information Commissioner and Privacy Commissioner Angelene Falk has handed down a determination that Flight Centre breached the privacy of 6,918 customers when it held its "design jam" event across the weekend of March 24 to March 26 in 2017.

On the first day of the event, Flight Centre handed a data set containing production data from the 2015 and 2016 calendar years to the 16 teams competing in the event, which consisted of 90 people in total.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

The data set had 106 million rows of data, with the company believing it had obfuscated personal information of its customers, leaving only the customer's year of birth, postcode, gender, and booking information. In the determination made by Falk, Flight Centre had its business intelligence and Australian infosec teams, as well as event coordinators review the first 1,000 rows of data to confirm there was no sensitive information in the file.

However, 36 hours after the event had begun, a free text field under a column called "ProductName" was found by one of the participants to contain credit card information.

Flight Centre then reviewed the file and found it contained 4,011 credit cards and 5,092 passport numbers affecting 6,918 people, as well as 475 usernames and passwords to mostly vendor portals. 757 dates of birth were also identified.

Upon learning of the breach, the company prevented access to the file and truncated the column to 10 characters, received verbal confirmation from participants that they had destroyed all copies of the file, and began a post-incident review. Those who had their payment or passport details breached were notified by the company, offered free identity theft and credit monitoring coverage for a year, and Flight Centre coughed up for the cost of replacing passports when customers opted for it.

Falk said that Flight Centre determined it was a low-risk incident because it involved no intrusion, the incident was not malicious, a known number of third parties had access to data, and there was no evidence of misuse.

The heart of the breach was Flight Centre having no technical controls to prevent travel consultants from entering passport information and credit card details into a free text field other than complying to company policy, Falk wrote.

"The absence of technical controls to prevent or detect such incorrect storage caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach," Falk said.

At the time of the incident, Flight Centre had the ability to detect inappropriate storage of credit card information in some of its systems, but not its quoting, invoicing, or receipting systems. The company now scans on a weekly basis for the storage of payment and passport information in free text fields.

Falk also criticised the company for handing over such a large data set in the first event it had run, and not requiring participants to sign an agreement.

"This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third-party suppliers for analysis," Falk said on Monday.

"Organisations should assume that human errors -- such as the inadvertent disclosure of personal information to suppliers -- could occur and take steps to prevent them.

"They should also carry out privacy impact assessments for data projects to assist in identifying and addressing all relevant privacy impacts."

Due to the company reacting swiftly, notifying individuals before the Notifiable Data Breaches Scheme came into force, offering those impacts a number of services, paying for monitoring of the dark web to see if the details were misused, and candour when dealing with her office, Falk said it was not appropriate to take further action other than declaring Flight Centre does not repeat its actions.

Related Coverage

Editorial standards