Travel Agents

Investigation finds travel agent ‘design jam’ the cause of big Flight Centre data breach

Huntley Mitchell

Huntley Mitchell

An investigation into a major data breach involving Flight Centre Travel Group (FCTG) more than three years ago has found that the company broke a number of Australian Privacy Principles.

In early 2017, FCTG organised a first-of-its-kind ‘design jam’ for March of that year, according to a recently published judgement by Australian Information and Privacy Commissioner Angelene Falk.

“The purpose of the event was to create technological solutions for travel agents to better support customers during the sales process,” Falk wrote.

“Sixteen teams, comprising 90 individuals, registered for and participated in the event.”

On 24 March 2017, Falk said FCTG provided event participants with access to a dataset for the 2015 and 2016 calendar years containing 106 million rows of data.

A file within the set contained 28 million rows of data from FCTG’s quoting, invoicing and receipting system. Falk said the data file contained 6,121,565 individual customer records.

Details known to contain personal information were obfuscated, leaving what was thought to be only the customer’s year of birth, postcode, gender, and booking information.

Representatives from FCTG reviewed a top 1,000-row sample of each data file within the dataset to ensure the data did not contain any personal information, according to Falk.

However, on 26 March 2017, an event participant notified FCTG that they had identified credit card information that was stored in an unstructured, free text field in the data provided to all event participants.

Falk noted in her case determination that by this time, the information had been available for approximately 36 hours.

“[FCTG] later identified that the customer information disclosed to the event participants mistakenly included details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals,” she wrote.

“Additionally, 475 usernames and passwords (mostly to vendor and supplier portals) and 757 rows containing customers’ date of birth were disclosed.”

FCTG claimed that it did not permit passport information and credit card details to be included in the free text field of its system.

Instead, the free text field was intended to be used by the company’s employees to communicate information about a booking.

However, Falk said that despite FCTG’s internal policies and training, the information showed that multiple travel consultants used the free text field to record customers’ credit card information and passport numbers from 1 January 2015 to 31 December 2016.

FCTG also acknowledged that at the time of the data breach, it had no technical controls to prevent or detect consultants entering inappropriate information into the free text field in its quoting, invoicing and receipting system.

On becoming aware of the data breach, FCTG said it had removed all access to the data by the event participants within 30 minutes of being notified, and obtained verbal confirmation after the event from each participating team that they had destroyed all copies of the data.

FCTG also conducted a post-incident review, including a business impact assessment and risk assessment.

Following the assessment, the company deemed the incident was ‘low risk’ because there was no intrusion into its systems, the incident was not the result of a malicious or deliberate act, the incident involved a ‘contained dataset’ provided to known third parties, there was no evidence of any actual misuse of the data, and confirmation was received from the third parties that the data had been destroyed.

FCTG also notified individuals whose passport or credit card details had been disclosed of the data breach on 7 July 2017, and offered free identity theft and credit monitoring coverage for 12 months.

The company said it paid the reasonable costs of passport replacement for customers who elected to do so, as well as notifying its merchant bank, with affected credit card details put on a fraud watch list.

FCTG also developed a remediation plan to address the cause of the data breach, based on its post-incident review, to prevent the occurrence of a similar incident.

Ultimately, Falk found that FCTG interfered with the privacy of approximately 6,918 of its customers by failing to take reasonable steps in the circumstances to implement practices, procedures and systems relating to its functions and activities.

However, the Information and Privacy Commissioner decided that further regulatory action was “not warranted” and “unnecessary in the circumstances”.

“The respondent submitted that it has taken remedial action since the data breach, no further similar incidents have occurred or are likely to occur, and significant time has passed since the data breach,” she wrote.

Falk also determined there was no evidence to support a declaration that FCTG redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation.

“It is inappropriate for any further action to be taken in the matter,” she wrote.

In a statement to Travel Weekly, FCTG said it was “generally pleased” with the investigation’s findings and that no further action will be taken.

“The Flight Centre Travel Group takes data security and privacy issues very seriously,” the statement read.

“When this incident occurred three years ago, the company took immediate action to resolve the issue, which arose as a result of a human error, and to ensure it could not happen again.”


Featured image source: iStock/WhataWin



SEE WHAT PEOPLE ARE SAYING

Leave a Reply

Hotels

TAA appoints new board member

It’s a good things that travel is an interesting industry otherwise they’d be appointing a new ‘bored’ member.

Share

CommentComments

Aviation

New data suggests China Eastern nosedive may have been intentional

Investigations into a tragic plane crash that killed 132 people earlier this year have revealed that it was likely not due to technical fault.

Share

CommentComments

Wholesalers

Luxury Escapes partners with the Travel Corporation

Similarly, Travel Weekly is trying to form a partnership with the cafe downstairs, which they correctly recognised as another attempt to get free coffee and shut down immediately.

Share

CommentComments

Aviation

Qantas teams up with Zip for buy now pay later flights

Looking for new and exciting ways to financially cripple the millennial and Gen Z market? This one from our national carrier takes the cake.

Share

CommentComments

Destinations

AGENT GUIDE: How to give your clients the best possible South America experience

by Sponsored by Chimu Adventures

From the snowcapped Andes and the Amazon rainforest to the culture clad streets of Buenos Aires and Rio, South America is a treasure trove of rich experiences not to be missed.

Share

CommentComments

Cruise

Cunard reports biggest booking day in a decade

The rumours are that many Cunard employees went home that day with a big sack with a dollar sign on it after a massive day on the job.

Share

CommentComments

News

Travel just got easier: No more pre-departure tests for New Caledonia, Tahiti, Indonesia

What would make travel really easy for us is if a nice company out there would like to send a Travel Weekly reporter on a nice trip overseas (wink, wink, nudge, nudge @anyone please).

Share

CommentComments

Cruise

Dream Cruises ship resurrected for new cruise brand

Don’t just sit around dreaming of cruises, hop on this revived Dream Cruises ship for your first getaway in two years.

Share

CommentComments

Events

Collette wraps up its first travel forum in two years

The tour operator hosted top sellers, partners, key travel players and media friends (that’s us!) for poolside shenanigans in sunny Cairns.

Share

CommentComments

Wholesalers

“Travel is the great educator”: Collette CEO Dan Sullivan on why we need travel now more than ever

We spent the past few days sipping mojitos by the pool in Cairns… Oh, and attending Collette’s travel forum! Here’s proof we were listening.

Share

CommentComments

Travel Agents

“It’s our shout”: Flight Centre is giving away free holidays!

The travel giant is giving away 40 holidays to celebrate its 40th Birthday! Nobody tell them that it’s usually the other way around…

Share

CommentComments

Hotels

QT Newcastle signature restaurant and bar revealed!

It might seem like we’re calling Newcastle a ‘cutie’ but rest assured, our cutest NSW city award still goes to Griffith.

Share

CommentComments