When a ‘design jam’ ends up costing thousands of dollars in new passports

UPDATED An Australian travel agency has been criticized, but not fined, after regulators decided it was to blame for exposing user data during a coding event.

The breach – which resulted in the exposure of passport information and payment card details – occurred during a ‘design jam’ held by Flight Centre Travel Group in March 2017.

The travel retailer’s technology exercise involved supplying 16 teams of 90 coders with a dataset containing more than six million customer records as raw material for the development of new travel agent technology.

Details known to contain personal information were obfuscated, leaving what was thought to be only the customers’ year of birth, postcode, gender, and booking information in the dataset.

Plane text offender

However, the sanitization of the data was incomplete, and one of the participants of the coding event discovered that credit card information “was stored in an unstructured, free text field in the data” before notifying the organizers.

Flight Centre later determined that 4,011 credit cards and 5,092 passport numbers for 6,918 individuals, as well as 475 usernames and passwords, were included in the dataset.

The error was only found after the information had been available for 36 hours.

RECOMMENDED Spotify security vulnerability exposed personal data to business partners

Although Flight Centre is credited with acting promptly to notify the affected customers as well as investigating and learning from the incident, Australian privacy regulators still faulted the retailer for a number of failings that led to the breach.

The travel agency wound up paying A$68,500 (US$51,876) to replace the passports of affected customers.

Privacy by design

In a ruling returned late last month, the Australian Information Commissioner and Privacy Commissioner (OAIC) faulted Flight Centre Travel Group for failures to follow legally mandated privacy principles.

In a statement, Commissioner Angelene Falk commented: “This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis.

“Organisations should assume that human errors – such as the inadvertent disclosure of personal information to suppliers – could occur and take steps to prevent them.

Catch up on the latest data breach news

“They should also carry out Privacy Impact Assessments for data projects to assist in identifying and addressing all relevant privacy impacts,” she concluded.

Flight Centre’s privacy policy included some general statements about disclosing personal information to improve and develop their products, but this was ruled inadequate to count as valid consent for the disclosure of personal information exposed during the design jam.

In response to a request for comment, Flight Centre Travel Group told The Daily Swig that it welcomed the fact no further action will be taken.

"The Flight Centre Travel Group takes data security and privacy issues very seriously," it said.

"When this incident occurred more than three years ago, the company took immediate action to resolve the issue, which arose as a result of a human error, and to ensure it could not happen again.

"We are generally pleased with the findings and that no further action will be taken," The Flight Centre Travel Group concluded.

This story was updated to add comment from The Flight Centre Travel Group

RELATED More than half of GDPR fines issued by UK data privacy watchdog remain unpaid