A 2017 facts breach at Flight Centre occurred when passport and credit score card numbers for 6918 prospects had been accidentally still left in a dataset employed by the participants of a hackathon.
Information of the breach are uncovered in a dedication by the Australian Information and facts Commissioner and Privateness Commissioner Angelene Falk that Flight Centre breached Australian privacy principles, which include by utilizing facts for uses other than the purpose it was initially gathered.
The breach was noted at the time but particulars had been scarce, other than some facts was disclosed to “third-social gathering suppliers” in mistake.
It has now been uncovered Flight Centre disclosed the facts by a “design jam” that ran over three times in March 2017 “to produce technological alternatives for vacation agents to much better guidance prospects throughout the product sales process”.
It was the first time Flight Centre had run these an function, and participants weren’t expected to indicator a non-disclosure agreement or any other paperwork to sign up for.
A total of sixteen groups participated in the hackathon-like function, and had been supplied access to a dataset “for the 2015 and 2016 calendar several years containing 106 million rows of data”.
“A file in the set contained 28 million rows of facts from the respondent’s quoting, invoicing and receipt process,” Falk wrote in a judgment.
“The facts file contained six,121,565 specific customer records. Information identified to contain particular info had been obfuscated, leaving what was believed to be only the customer’s calendar year of beginning, postcode, gender and reserving info.”
Falk wrote that Flight Centre reviewed “a best one thousand row sample of every single facts file in the dataset to be certain the facts did not contain any particular info.”
Nonetheless, on the final working day of the “design jam”, an function participant found credit score card info in an “unstructured, cost-free textual content subject in the data”, and notified Flight Centre.
On further more evaluation, Flight Centre stated the subject “mistakenly involved particulars of 4011 credit score playing cards and 5092 passport numbers for 6918 men and women.”
“Additionally, 475 usernames and passwords (largely to vendor and provider portals) and 757 rows containing customers’ day of beginning had been disclosed,” the commissioner wrote.
The cost-free textual content field’s formal purpose was for “employees to talk info about a booking”.
Even with interior procedures and schooling, “multiple vacation consultants employed the cost-free textual content subject to document customers’ credit score card info and passport numbers in the time period 1 January 2015 to 31 December 2016,” Falk wrote.
Also, there had been no IT controls in location to recognise passport or credit score card numbers currently being added to the subject.
“The storage of passport info and credit score card particulars in a cost-free textual content subject (in a manner inconsistent with relevant procedures), and the absence of specialized controls to prevent or detect these incorrect storage, triggered an inherent facts security threat in phrases of how this form of particular info was guarded by the respondent immediately prior to the facts breach,” the commissioner wrote.
6918 prospects impacted
Footnotes in the dedication demonstrate that of the 6918 impacted men and women, “there had been 1012 … for whom [Flight Centre] had insufficient get hold of particulars and was hence unable to notify.”
The relaxation of the impacted prospects had been notified on July seven 2017.
Flight Centre stated there was no evidence the facts was misused. It verified with all participants in the “design jam” that the facts was “destroyed”.
The enterprise stated it scanned its IT techniques subsequent the incident “to detect and eliminate any other scenarios of incorrect storage of credit score card or passport information”, and had run weekly scans due to the fact.
It also designed enhancements to its “systems and program to be certain credit score card info and passport info cannot be saved in cost-free textual content facts fields” engaged “a third social gathering danger intelligence expert to observe social media and the dark internet, to establish if the leaked facts or info relating to it was published” and updated its privacy and facts handling procedures.
Flight Centre’s defence to the OAIC investigation involved that it did not “disclose” the particular facts to third functions, but rather granted them access to a dataset it controlled for confined “use”.
Falk wrote in her dedication that neither time period is outlined in Australian privacy laws.
Nonetheless, she ruled Flight Centre’s mistake amounted to a disclosure of the facts.
The commissioner also located that the disclosure, when accidental, was for a “secondary purpose” – a hackathon – that sat outside the house the main purpose for which the facts had initially been gathered.
Nonetheless, Falk located “no evidence … that indicates that men and women expressly consented to the use or disclosure of their particular info for the products progress purpose.”
Commissioner Falk stated that Flight Centre did not want to compensate the victims of the breach, nevertheless it had compensated out $68,500 in passport replacement expenses, furthermore an mysterious total for credit score monitoring providers for individuals impacted.
The enterprise would also not undergo further more repercussions, with the commissioner declaring it had supplied candid responses in the course of, and that it no more time ran the “design jam” activities.
The commissioner also took into account the effects of Covid-19 on Flight Centre’s business enterprise.