Investigation finds travel agent ‘design jam’ the cause of big Flight Centre data breach

Abstract Technology Binary Code Dark Red Background. Cyber Attack, Ransomware, Malware, Scareware Concept

An investigation into a major data breach involving Flight Centre Travel Group (FCTG) more than three years ago has found that the company broke a number of Australian Privacy Principles.

In early 2017, FCTG organised a first-of-its-kind ‘design jam’ for March of that year, according to a recently published judgement by Australian Information and Privacy Commissioner Angelene Falk.

“The purpose of the event was to create technological solutions for travel agents to better support customers during the sales process,” Falk wrote.

“Sixteen teams, comprising 90 individuals, registered for and participated in the event.”

On 24 March 2017, Falk said FCTG provided event participants with access to a dataset for the 2015 and 2016 calendar years containing 106 million rows of data.

A file within the set contained 28 million rows of data from FCTG’s quoting, invoicing and receipting system. Falk said the data file contained 6,121,565 individual customer records.

Details known to contain personal information were obfuscated, leaving what was thought to be only the customer’s year of birth, postcode, gender, and booking information.

Representatives from FCTG reviewed a top 1,000-row sample of each data file within the dataset to ensure the data did not contain any personal information, according to Falk.

However, on 26 March 2017, an event participant notified FCTG that they had identified credit card information that was stored in an unstructured, free text field in the data provided to all event participants.

Falk noted in her case determination that by this time, the information had been available for approximately 36 hours.

“[FCTG] later identified that the customer information disclosed to the event participants mistakenly included details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals,” she wrote.

“Additionally, 475 usernames and passwords (mostly to vendor and supplier portals) and 757 rows containing customers’ date of birth were disclosed.”

FCTG claimed that it did not permit passport information and credit card details to be included in the free text field of its system.

Instead, the free text field was intended to be used by the company’s employees to communicate information about a booking.

However, Falk said that despite FCTG’s internal policies and training, the information showed that multiple travel consultants used the free text field to record customers’ credit card information and passport numbers from 1 January 2015 to 31 December 2016.

FCTG also acknowledged that at the time of the data breach, it had no technical controls to prevent or detect consultants entering inappropriate information into the free text field in its quoting, invoicing and receipting system.

On becoming aware of the data breach, FCTG said it had removed all access to the data by the event participants within 30 minutes of being notified, and obtained verbal confirmation after the event from each participating team that they had destroyed all copies of the data.

FCTG also conducted a post-incident review, including a business impact assessment and risk assessment.

Following the assessment, the company deemed the incident was ‘low risk’ because there was no intrusion into its systems, the incident was not the result of a malicious or deliberate act, the incident involved a ‘contained dataset’ provided to known third parties, there was no evidence of any actual misuse of the data, and confirmation was received from the third parties that the data had been destroyed.

FCTG also notified individuals whose passport or credit card details had been disclosed of the data breach on 7 July 2017, and offered free identity theft and credit monitoring coverage for 12 months.

The company said it paid the reasonable costs of passport replacement for customers who elected to do so, as well as notifying its merchant bank, with affected credit card details put on a fraud watch list.

FCTG also developed a remediation plan to address the cause of the data breach, based on its post-incident review, to prevent the occurrence of a similar incident.

Ultimately, Falk found that FCTG interfered with the privacy of approximately 6,918 of its customers by failing to take reasonable steps in the circumstances to implement practices, procedures and systems relating to its functions and activities.

However, the Information and Privacy Commissioner decided that further regulatory action was “not warranted” and “unnecessary in the circumstances”.

“The respondent submitted that it has taken remedial action since the data breach, no further similar incidents have occurred or are likely to occur, and significant time has passed since the data breach,” she wrote.

Falk also determined there was no evidence to support a declaration that FCTG redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation.

“It is inappropriate for any further action to be taken in the matter,” she wrote.

In a statement to Travel Weekly, FCTG said it was “generally pleased” with the investigation’s findings and that no further action will be taken.

“The Flight Centre Travel Group takes data security and privacy issues very seriously,” the statement read.

“When this incident occurred three years ago, the company took immediate action to resolve the issue, which arose as a result of a human error, and to ensure it could not happen again.”


Featured image source: iStock/WhataWin

Latest News

  • Destinations

Malolo Island Resort Fiji launches its own resort app

Guests at the Malolo Island Resort can now get a better experience even before they arrive with the resort’s newly launched mobile app. Guests are encouraged to download and use the app ahead of their stay to build their itinerary. They can check-in prior to their arrival and make dinner and spa reservations all from […]

  • Tour Operators

France on foot holiday savings

Walking up a steep incline may be painful, but it is all worth it when you see that incredible view.

  • Cruise

Seabourn introduces enhanced groups programs for travel advisors

Leading ultra-luxury cruising and expedition travel company, Seabourne, proudly announces the “Seabourn Enhanced Groups Program” to elevate business prospects for travel advisors. This program introduces a revamped Tour Conductor Credit that offers shipboard credits or bonus commission for bookings. It also eliminates the need for deposits for small group allotments and increases group capacity. “Seabourn […]

  • Cruise

Ponant’s latest luxury cruise expeditions for 2024 and 2025

Head out to see the beauty of unique destinations on three bucket-list explorations of Australia with Ponant Cruise’s new luxury expeditions. Known for their luxury cruises, Ponant offers unique and truly exceptional sea voyage aboard sleek and intimately sized cruise yachts. They offer a range of discovery expeditions, and launched new cruises that take guests […]

  • Aviation
  • News

Christine O’Reilly to replace Peter Hay as chair of Australia Pacific Airports Corporation

Christine O’Reilly has been named as the new chair of Australia Pacific Airports Corporation (APAC) – the owner of Melbourne and Launceston Airports. According to a release, O’Reilly will replace Peter Hay on 1 October, who retires after five years as Chair of APAC. APAC CEO Lorie Argus said O’Reilly’s appointment comes at an exciting […]

  • Tourism

The number one thing you can’t forget if you’re going to Europe & The Olympics

As the Summer Olympics in Paris draws near, travel insurance comparison site Compare the Market is urging travellers to safeguard their European summer sports dreams by getting travel insurance for when the unexpected happens. While France seems like a decently safe country to visit, it’s crucial not to overlook the potential risks that could disrupt a holiday. From bed […]