A 2017 data breach at Flight Centre occurred when passport and credit card numbers for 6918 customers were accidentally left in a dataset used by the participants of a hackathon.
Details of the breach are revealed in a determination by the Australian Information Commissioner and Privacy Commissioner Angelene Falk that Flight Centre breached Australian privacy principles, including by using data for purposes other than the reason it was originally collected.
It has now been revealed Flight Centre disclosed the data through a “design jam” that ran over three days in March 2017 “to create technological solutions for travel agents to better support customers during the sales process”.
It was the first time Flight Centre had run such an event, and participants weren’t required to sign a non-disclosure agreement or any other paperwork to join.
A total of 16 teams participated in the hackathon-like event, and were provided access to a dataset “for the 2015 and 2016 calendar years containing 106 million rows of data”.
“A file within the set contained 28 million rows of data from the respondent’s quoting, invoicing and receipt system,” Falk wrote in a judgment.
“The data file contained 6,121,565 individual customer records. Details known to contain personal information were obfuscated, leaving what was thought to be only the customer’s year of birth, postcode, gender and booking information.”
Falk wrote that Flight Centre reviewed “a top 1000 row sample of each data file within the dataset to ensure the data did not contain any personal information.”
However, on the final day of the “design jam”, an event participant noticed credit card information in an “unstructured, free text field in the data”, and notified Flight Centre.
Upon further examination, Flight Centre said the field “mistakenly included details of 4011 credit cards and 5092 passport numbers for 6918 individuals.”
“Additionally, 475 usernames and passwords (mostly to vendor and supplier portals) and 757 rows containing customers’ date of birth were disclosed,” the commissioner wrote.
The free text field’s official purpose was for “employees to communicate information about a booking”.
Despite internal policies and training, “multiple travel consultants used the free text field to record customers’ credit card information and passport numbers in the period 1 January 2015 to 31 December 2016,” Falk wrote.
Additionally, there were no IT controls in place to recognise passport or credit card numbers being added to the field.
“The storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” the commissioner wrote.
6918 customers impacted
Footnotes in the determination show that of the 6918 affected individuals, “there were 1012 ... for whom [Flight Centre] had insufficient contact details and was thus unable to notify.”
The rest of the impacted customers were notified on July 7 2017.
Flight Centre said there was no evidence the data was misused. It confirmed with all participants in the “design jam” that the data was “destroyed”.
The company said it scanned its IT systems following the incident “to identify and remove any other instances of incorrect storage of credit card or passport information”, and had run weekly scans since.
It also made improvements to its “systems and software to ensure credit card information and passport information cannot be stored in free text data fields”; engaged “a third party threat intelligence specialist to monitor social media and the dark web, to determine if the leaked data or information relating to it was published”; and updated its privacy and data handling policies.
Flight Centre’s defence to the OAIC investigation included that it did not “disclose” the personal data to third parties, but rather granted them access to a dataset it controlled for limited “use”.
Falk wrote in her determination that neither term is defined in Australian privacy laws.
However, she ruled Flight Centre’s error amounted to a disclosure of the data.
The commissioner also found that the disclosure, while accidental, was for a “secondary purpose” - a hackathon - that sat outside the primary purpose for which the data had originally been collected.
However, Falk found “no evidence ... that indicates that individuals expressly consented to the use or disclosure of their personal information for the product development purpose.”
Commissioner Falk said that Flight Centre did not need to compensate the victims of the breach, though it had paid out $68,500 in passport replacement costs, plus an unknown amount for credit monitoring services for those impacted.
The company would also not suffer further repercussions, with the commissioner saying it had provided candid responses throughout, and that it no longer ran the “design jam” events.
The commissioner also took into account the impact of Covid-19 on Flight Centre’s business.