Flight Centre’s Design Jam Data Breach: What can we learn?

Flight Centre, Australia’s largest travel agency suffered a data breach affecting nearly 7,000 customers, as an unintended consequence of a project aimed at creating better customer outcomes.  What can we learn from the Privacy Commissioner’s investigation and determination made about the incident?

Key takeaways

• A privacy notice is a transparency mechanism. It can’t be relied on as evidence of consent;
• A disclosure does not require intent and can be accidental;
• Internal policies are not enough  by themselves: they must be communicated and enforced. Where appropriate they should be supported by technical controls.
• If you respond quickly and effectively and engage with the OAIC in a constructive way, you should escape serious negative findings.

The Office of the Australian Information Commissioner (OAIC) confirmed on 7 December 2020 that Flight Centre Travel Group Ltd had interfered with the privacy of almost 7,000 customers, by disclosing their personal information without consent[1].

Ironically, the breach occurred during a ‘design jam’ event, organised to identify novel solutions to common problems faced by travel agents during the customer booking process. The unexpected outcome demonstrate how organisations must ensure ongoing compliance with their internal policies, the benefits of technical security controls and reviewing privacy impacts prior to embarking on a new data use and the critical importance of a well-drafted privacy policy.

Background – Flight Centre’s Design Jam

In early 2017, Flight Centre invited fellow members of the travel industry to participate in a ‘design jam’, (also known as a ‘hackathon’) during which 90 selected industry participants were tasked with creating “technological solutions that could assist travel agents deal with customers during the sales process.”

Flight Centre provided event participants with access to a data set containing 106 million rows of data taken from Flight Centre’s systems. One of the files provided to participants included more than 6 million individual customer records.

Flight Centre believed that all fields in the data set containing customer personal information had been de-identified, leaving what was thought to be only the customer’s year of birth, postcode, gender and booking information. A top 1,000 row sample of each file within the dataset was reviewed by Flight Centre, to ensure that no personal information remained.

Around 36 hours after the information was made available to event participants, Flight Centre were notified that customer credit card information was discovered in an unstructured free text field within one of the data files provided.  Upon review, Flight Centre found the problem was with information that had been included in free text field, against the company policy.  Further investigation showed the disclosed data included:

• Details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals;
• 475 usernames and passwords (mostly to vendor and supplier portals); and
• 757 rows containing customers’ date of birth had also been disclosed.

Flight Centre’s response to the data breach

Flight Centre acted quickly when it found out about the unintended disclosure, including:

1. Removing event participant access permissions to the data set;
2. Requiring participants to verbally confirm they had destroyed all copies of the data;
3. Conducting a post-incident review, including a risk assessment, which deemed the incident as ‘low risk’, based on the accidental nature of the disclosure to a known group and no evidence of misuse;
4. Developing a remediation plan to address the cause of the data breach, based on the post-incident review, to prevent re-occurrence of a similar incident.

Flight Centre also took action to reduce any harm to the affected individuals. As well as notifying them of the incident, Flight Centre offered;

• free identity theft and credit monitoring coverage; and
• to pay reasonable costs for passport replacement (which ended up costing Flight Centre $68,500).

OAIC determination

The OAIC determined the following:

• There was an unauthorised disclosure, in breach of APP 6 (and not just a use of data). The OAIC confirmed previous guidance that a ‘disclosure’ can be accidental;[2]
• Flight Centre could not rely on reference to this sort of use in its Privacy Policy as indicating there was actual or implied consent to the use. The OAIC also reiterated that a privacy policy is only to serve as “a transparency mechanism…  and that it is not generally a way of providing notice and obtaining consent”;^[3]
• Although Flight Centre had comprehensive documented internal policies and procedures for the handling of personal information, these had not been properly communicated to staff or enforced, and were inadequate to address the risk of an incident occurring. The Commissioner suggested a “reasonable step” to secure the data would have been “to implement an automated scanning technique to review data” to check for any remaining personal information prior to the disclosure[4].
• The determination noted that failure to comply with these policies was likely to have been occurring for a significant period of time, which indicated insufficient quality control and assurance procedures. The significant time period over which the policies were not routinely followed also pointed to insufficient quality control and assurance[5].

However, given that Flight Centre cooperated with the investigation and had already incurred various costs, no further action was taken by the OAIC.[6].

What can we learn?

The Flight Centre determination serves as a reminder of the impact of human error in data breaches, and the importance of monitoring and checking.

Simply having policies and procedures in place is not enough. They must be supplemented by technical controls and regular testing and review, to ensure policies and procedures are being followed, controls are working properly and also to minimise the impact of human error.

An important lesson from this breach is building privacy by design into new projects or any new use of data. When embarking on a project, or a new use, that involves handling of personal information, organisations must consider the potential privacy impacts, and take steps to minimise any potential adverse consequences. Where third parties are to be involved in a project, at a minimum, there should be contractual mechanisms in place to ensure that any personal information shared can only be used for the purpose it was provided (and that it is deleted immediately after this purpose has been served).

Another key message to be taken from the Flight Centre breach is the importance of a well drafted, clear and concise privacy policy, as well as knowledge of its limitations. No matter the intention, a privacy policy serves only as a transparency mechanism – it cannot be used as a method of obtaining consent, nor can it be used to circumnavigate an organisation’s legal requirements. Where consent is required, irrespective of the content of a privacy policy, the consent must always be voluntary, informed, specific and provided by a person with capacity.

Conclusion

Flight Centre’s response to this incident reduced the potential consequences.  However, the incident may have been avoided in the first place if greater care had been taken – both with the capturing and retention of personal data and then again prior to the release of the data set as part of the design jam.

Although compliance with privacy obligations can seem an arduous task at times, it is not only a legal obligation, but a crucial step in ensuring the protection of your organisation and the data you hold.

If you need practical guidance and advice to help you understand your privacy compliance obligations, tools and resources to help you manage personal information, or some assistance developing your privacy policy, contact the team at Privacy 108.

[1] Flight Centre Travel Group (Privacy) [2020] AICmr 57 (25 November 2020)

[2] APP guidelines, [B.64] and [6.10]

[3] Flight Centre Travel Group (Privacy) [2020] AICmr 57 (25 November 2020) at 52 and 55.

[4] Ibid at 95

[5] Ibid at 88

[6] Ibid at 121

Oops! We could not locate your form.