Flight Centre accidentally released personal information including the passport numbers and credit card details of nearly 7,000 customers during a 2017 “design jam”.
Late last month, Australia’s Information and Privacy Commissioner Angele Falk published her decision on Flight Centre Travel Group’s breach of the Privacy Act 1988. It’s not the first time the company has fallen afoul of regulators, but this time it was for disclosing customer’s details without their consent.
The breach occurred when the company put on their first ever design jam (also known as a hackathon) and brought together teams to try and come up with “technological solutions for travel agents to better support customers during the sales process.”
As part of the competition, 16 teams were given access to a dataset that they thought only contained basic, semi-anonymised information such as a customer’s year of birth, postcode and information about their booking.
But unknowingly, the company included the details of 5092 passport numbers, 4011 credit cards, 475 usernames and passwords and 757 customers’ date of birth, belonging to 6918 individuals in a section of the data.
This was discovered by one person taking part in the hackathon who subsequently reported it to Flight Centre.
In the decision, Falk castigated the company for the processes that allowed this to happen.
“The storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” she wrote.
The company claimed there was no evidence that this data was misused.
Flight Centre contacted the affected individuals, but was unable to reach 1012 of them who they had insufficient contact details for. Additionally, the company paid out nearly $70,000 in passport replacement costs and also an additional amount for credit monitoring services.
Falk found that Flight Centre’s actions lead to a disclosure of the data, and that consumers did not consent to its use in this way.
But, noting their response and promises to improve procedures, the Commissioner said the company did not need to compensate victims further.