Travel Agents

Investigation finds travel agent ‘design jam’ the cause of big Flight Centre data breach

Huntley Mitchell

Huntley Mitchell

An investigation into a major data breach involving Flight Centre Travel Group (FCTG) more than three years ago has found that the company broke a number of Australian Privacy Principles.

In early 2017, FCTG organised a first-of-its-kind ‘design jam’ for March of that year, according to a recently published judgement by Australian Information and Privacy Commissioner Angelene Falk.

“The purpose of the event was to create technological solutions for travel agents to better support customers during the sales process,” Falk wrote.

“Sixteen teams, comprising 90 individuals, registered for and participated in the event.”

On 24 March 2017, Falk said FCTG provided event participants with access to a dataset for the 2015 and 2016 calendar years containing 106 million rows of data.

A file within the set contained 28 million rows of data from FCTG’s quoting, invoicing and receipting system. Falk said the data file contained 6,121,565 individual customer records.

Details known to contain personal information were obfuscated, leaving what was thought to be only the customer’s year of birth, postcode, gender, and booking information.

Representatives from FCTG reviewed a top 1,000-row sample of each data file within the dataset to ensure the data did not contain any personal information, according to Falk.

However, on 26 March 2017, an event participant notified FCTG that they had identified credit card information that was stored in an unstructured, free text field in the data provided to all event participants.

Falk noted in her case determination that by this time, the information had been available for approximately 36 hours.

“[FCTG] later identified that the customer information disclosed to the event participants mistakenly included details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals,” she wrote.

“Additionally, 475 usernames and passwords (mostly to vendor and supplier portals) and 757 rows containing customers’ date of birth were disclosed.”

FCTG claimed that it did not permit passport information and credit card details to be included in the free text field of its system.

Instead, the free text field was intended to be used by the company’s employees to communicate information about a booking.

However, Falk said that despite FCTG’s internal policies and training, the information showed that multiple travel consultants used the free text field to record customers’ credit card information and passport numbers from 1 January 2015 to 31 December 2016.

FCTG also acknowledged that at the time of the data breach, it had no technical controls to prevent or detect consultants entering inappropriate information into the free text field in its quoting, invoicing and receipting system.

On becoming aware of the data breach, FCTG said it had removed all access to the data by the event participants within 30 minutes of being notified, and obtained verbal confirmation after the event from each participating team that they had destroyed all copies of the data.

FCTG also conducted a post-incident review, including a business impact assessment and risk assessment.

Following the assessment, the company deemed the incident was ‘low risk’ because there was no intrusion into its systems, the incident was not the result of a malicious or deliberate act, the incident involved a ‘contained dataset’ provided to known third parties, there was no evidence of any actual misuse of the data, and confirmation was received from the third parties that the data had been destroyed.

FCTG also notified individuals whose passport or credit card details had been disclosed of the data breach on 7 July 2017, and offered free identity theft and credit monitoring coverage for 12 months.

The company said it paid the reasonable costs of passport replacement for customers who elected to do so, as well as notifying its merchant bank, with affected credit card details put on a fraud watch list.

FCTG also developed a remediation plan to address the cause of the data breach, based on its post-incident review, to prevent the occurrence of a similar incident.

Ultimately, Falk found that FCTG interfered with the privacy of approximately 6,918 of its customers by failing to take reasonable steps in the circumstances to implement practices, procedures and systems relating to its functions and activities.

However, the Information and Privacy Commissioner decided that further regulatory action was “not warranted” and “unnecessary in the circumstances”.

“The respondent submitted that it has taken remedial action since the data breach, no further similar incidents have occurred or are likely to occur, and significant time has passed since the data breach,” she wrote.

Falk also determined there was no evidence to support a declaration that FCTG redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation.

“It is inappropriate for any further action to be taken in the matter,” she wrote.

In a statement to Travel Weekly, FCTG said it was “generally pleased” with the investigation’s findings and that no further action will be taken.

“The Flight Centre Travel Group takes data security and privacy issues very seriously,” the statement read.

“When this incident occurred three years ago, the company took immediate action to resolve the issue, which arose as a result of a human error, and to ensure it could not happen again.”


Featured image source: iStock/WhataWin


SEE WHAT PEOPLE ARE SAYING

Leave a Reply

Aviation

Virgin furthers Velocity status extension, adds bonus rewards for flights between October and March

With international travel now well on its way, Velocity Frequent Flyer is proving that loyalty works both ways with some extra perks for members and the promise of new partnerships with overseas carriers.

Share

CommentComments

Cruise

Carnival outlines new sustainability goals, with aspirations to achieve carbon-neutral operations by 2050

Meanwhile, considering the state of things, the only thing Travel Weekly staff are aspiring to be by 2050 is still alive and kicking.

Share

CommentComments

Aviation

“CALLS FOR A HAPPY DANCE!” Qantas flighty wearing uniform for first time since COVID goes viral

This flight attendant’s happy dance has been melting hearts across the internet. The fact that she’s also an influencer probably helped, too.

Share

CommentComments

Technology

Federal government takes next step in prepping for international travel restart

ScoMo and his team of ministers are hurriedly trying to make sure everything’s tickety-boo by the time our international borders reopen.

Share

CommentComments

Cruise

Aurora Expeditions jumps on mandatory vaccination bandwagon

If getting vaxxed is our ticket to travelling again, we at Travel Weekly gladly roll up our sleeves. Even if Bill Gates has popped a microchip in the doses (he hasn’t).

Share

CommentComments

Aviation

Air Canada to resume Sydney-Vancouver flights from mid-December

Looks like Air Canada will beat Qantas by one day in resuming its Sydney-Vancouver service. We can hear Alan Joyce sighing from here.

Share

CommentComments

Hotels

Marriott offers its own ‘vaccine passport’ to Aussie travellers

Fancy a month’s worth of free accommodation across Australia, NZ and the Pacific to enjoy once it is safe to do so? Well, you’ll need both jabs to be in with a chance.

Share

CommentComments

Wholesalers

Globus family of brands introduces proof-of-vaccination policy for all trips

If you’ve got clients booked to join any Globus, Cosmos, Avalon Waterways or Monograms trip, you’d better pray they’re not anti-vaxxers.

Share

CommentComments

Aviation

Qantas to resume 12 international routes from 18 December

by Ali Coulton

If all goes to plan, 18 December will now be known as the beginning of the end of Australia’s overseas travel ban hellscape. Coincidentally, it’s also our deputy editor’s birthday!

Share

CommentComments

Hotels

Longest-running CEO of any major hotel company calls time on career

BWH Hotel Group’s longtime president and CEO is retiring, with an Esky, BBQ tongs and Big Mouth Billy Bass Singing Fish mooted as possible leaving gifts.

Share

CommentComments

Travel Agents

ETG agents score access to thousands of custom trips via Designer Journeys

The company’s network of independent agents can now impress clients with access to loads of tailorable itineraries and expert advice.

Share

CommentComments

Cruise

Coral Expeditions launches new summer sailings along South Australia’s wild coast

The five new journeys all take place intrastate, so even the toughest border closures can’t put a stop to these babies. As long as your clients live in SA, that is.

Share

CommentComments