Multicard breached Privacy Act by leaking ID data online

Global ID card solutions provider Multicard breached its customers’ privacy when it made the personal information of 9000 people with border clearance publicly available, the Commonwealth Privacy Commissioner has concluded.

Commissioner Timothy Pilgrim today found Multicard had stored the data on a publicly accessible server without appropriate security controls, resulting in personal information - including dates of birth, addresses, first and last names and partial credit card numbers - becoming available online. 

The 9000 affected persons were all holders of a maritime security identification card  (MISC) - a national form of documentation used to identify those who have cleared a background check so they can work unmonitored in a maritime security zone.

The information was discoverable through Google over a four month period from September 2012, and accessed and downloaded by unauthorised parties, the Office of the Information Commissioner said.

The OAIC found Multicard had stored the MSIC information in randomly named sub-folders in an uploads folder on a publicly accessible web server, and had incorrectly configured its website to allow directory browsing, including to those folders.

The vendor also failed to configure its website to request search robots not to index the parts of the MSIC website not intended for public access.

The OAIC found the company failed to implement several basic security measures.

"This was a data breach that could have easily been avoided,” Pilgrim said in a statement.

"It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed."

The Commissioner did find that Multicard had acted appropriately after discovering the breach, immediately disabling its website and restricting access. It has also appointed an independent auditor and taken several steps to improve its information security since the breach, the Commissioner said.

The OAIC was notified of the data breach by the Office of Transport Security in January last year and commenced its investigation the following month.