An investigation into a major data breach involving Flight Centre Travel Group (FCTG) more than three years ago has found that the company broke a number of Australian Privacy Principles.
In early 2017, FCTG organised a first-of-its-kind ‘design jam’ for March of that year, according to a recently published judgement by Australian Information and Privacy Commissioner Angelene Falk.
“The purpose of the event was to create technological solutions for travel agents to better support customers during the sales process,” Falk wrote.
“Sixteen teams, comprising 90 individuals, registered for and participated in the event.”
On 24 March 2017, Falk said FCTG provided event participants with access to a dataset for the 2015 and 2016 calendar years containing 106 million rows of data.
A file within the set contained 28 million rows of data from FCTG’s quoting, invoicing and receipting system. Falk said the data file contained 6,121,565 individual customer records.
Details known to contain personal information were obfuscated, leaving what was thought to be only the customer’s year of birth, postcode, gender, and booking information.
Representatives from FCTG reviewed a top 1,000-row sample of each data file within the dataset to ensure the data did not contain any personal information, according to Falk.
However, on 26 March 2017, an event participant notified FCTG that they had identified credit card information that was stored in an unstructured, free text field in the data provided to all event participants.
Falk noted in her case determination that by this time, the information had been available for approximately 36 hours.
“[FCTG] later identified that the customer information disclosed to the event participants mistakenly included details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals,” she wrote.
“Additionally, 475 usernames and passwords (mostly to vendor and supplier portals) and 757 rows containing customers’ date of birth were disclosed.”
FCTG claimed that it did not permit passport information and credit card details to be included in the free text field of its system.
Instead, the free text field was intended to be used by the company’s employees to communicate information about a booking.
However, Falk said that despite FCTG’s internal policies and training, the information showed that multiple travel consultants used the free text field to record customers’ credit card information and passport numbers from 1 January 2015 to 31 December 2016.
FCTG also acknowledged that at the time of the data breach, it had no technical controls to prevent or detect consultants entering inappropriate information into the free text field in its quoting, invoicing and receipting system.
On becoming aware of the data breach, FCTG said it had removed all access to the data by the event participants within 30 minutes of being notified, and obtained verbal confirmation after the event from each participating team that they had destroyed all copies of the data.
FCTG also conducted a post-incident review, including a business impact assessment and risk assessment.
Following the assessment, the company deemed the incident was ‘low risk’ because there was no intrusion into its systems, the incident was not the result of a malicious or deliberate act, the incident involved a ‘contained dataset’ provided to known third parties, there was no evidence of any actual misuse of the data, and confirmation was received from the third parties that the data had been destroyed.
FCTG also notified individuals whose passport or credit card details had been disclosed of the data breach on 7 July 2017, and offered free identity theft and credit monitoring coverage for 12 months.
The company said it paid the reasonable costs of passport replacement for customers who elected to do so, as well as notifying its merchant bank, with affected credit card details put on a fraud watch list.
FCTG also developed a remediation plan to address the cause of the data breach, based on its post-incident review, to prevent the occurrence of a similar incident.
Ultimately, Falk found that FCTG interfered with the privacy of approximately 6,918 of its customers by failing to take reasonable steps in the circumstances to implement practices, procedures and systems relating to its functions and activities.
However, the Information and Privacy Commissioner decided that further regulatory action was “not warranted” and “unnecessary in the circumstances”.
“The respondent submitted that it has taken remedial action since the data breach, no further similar incidents have occurred or are likely to occur, and significant time has passed since the data breach,” she wrote.
Falk also determined there was no evidence to support a declaration that FCTG redress any loss or damage suffered, or that any individuals are entitled to a specified amount by way of compensation.
“It is inappropriate for any further action to be taken in the matter,” she wrote.
In a statement to Travel Weekly, FCTG said it was “generally pleased” with the investigation’s findings and that no further action will be taken.
“The Flight Centre Travel Group takes data security and privacy issues very seriously,” the statement read.
“When this incident occurred three years ago, the company took immediate action to resolve the issue, which arose as a result of a human error, and to ensure it could not happen again.”
Featured image source: iStock/WhataWin