Flight Centre’s Design Jam Data Breach: What can we learn?
Flight Centre, Australia’s largest travel agency suffered a data breach affecting nearly 7,000 customers, as an unintended consequence of a project aimed at creating better customer outcomes. What can we learn from the Privacy Commissioner’s investigation and determination made about the incident?
- A privacy notice is a transparency mechanism. It can’t be relied on as evidence of consent;
- A disclosure does not require intent and can be accidental;
- Internal policies are not enough by themselves: they must be communicated and enforced. Where appropriate they should be supported by technical controls.
- If you respond quickly and effectively and engage with the OAIC in a constructive way, you should escape serious negative findings.
The Office of the Australian Information Commissioner (OAIC) confirmed on 7 December 2020 that Flight Centre Travel Group Ltd had interfered with the privacy of almost 7,000 customers, by disclosing their personal information without consent.
Background – Flight Centre’s Design Jam
In early 2017, Flight Centre invited fellow members of the travel industry to participate in a ‘design jam’, (also known as a ‘hackathon’) during which 90 selected industry participants were tasked with creating “technological solutions that could assist travel agents deal with customers during the sales process.”
Flight Centre provided event participants with access to a data set containing 106 million rows of data taken from Flight Centre’s systems. One of the files provided to participants included more than 6 million individual customer records.
Flight Centre believed that all fields in the data set containing customer personal information had been de-identified, leaving what was thought to be only the customer’s year of birth, postcode, gender and booking information. A top 1,000 row sample of each file within the dataset was reviewed by Flight Centre, to ensure that no personal information remained.
Around 36 hours after the information was made available to event participants, Flight Centre were notified that customer credit card information was discovered in an unstructured free text field within one of the data files provided. Upon review, Flight Centre found the problem was with information that had been included in free text field, against the company policy. Further investigation showed the disclosed data included:
- Details of 4,011 credit cards and 5,092 passport numbers for 6,918 individuals;
- 475 usernames and passwords (mostly to vendor and supplier portals); and
- 757 rows containing customers’ date of birth had also been disclosed.
Flight Centre’s response to the data breach
Flight Centre acted quickly when it found out about the unintended disclosure, including:
- Removing event participant access permissions to the data set;
- Requiring participants to verbally confirm they had destroyed all copies of the data;
- Conducting a post-incident review, including a risk assessment, which deemed the incident as ‘low risk’, based on the accidental nature of the disclosure to a known group and no evidence of misuse;
- Developing a remediation plan to address the cause of the data breach, based on the post-incident review, to prevent re-occurrence of a similar incident.
Flight Centre also took action to reduce any harm to the affected individuals. As well as notifying them of the incident, Flight Centre offered;
- free identity theft and credit monitoring coverage; and
- to pay reasonable costs for passport replacement (which ended up costing Flight Centre $68,500).
The OAIC determined the following:
- There was an unauthorised disclosure, in breach of APP 6 (and not just a use of data). The OAIC confirmed previous guidance that a ‘disclosure’ can be accidental;
- Although Flight Centre had comprehensive documented internal policies and procedures for the handling of personal information, these had not been properly communicated to staff or enforced, and were inadequate to address the risk of an incident occurring. The Commissioner suggested a “reasonable step” to secure the data would have been “to implement an automated scanning technique to review data” to check for any remaining personal information prior to the disclosure.
- The determination noted that failure to comply with these policies was likely to have been occurring for a significant period of time, which indicated insufficient quality control and assurance procedures. The significant time period over which the policies were not routinely followed also pointed to insufficient quality control and assurance.
However, given that Flight Centre cooperated with the investigation and had already incurred various costs, no further action was taken by the OAIC..
What can we learn?
The Flight Centre determination serves as a reminder of the impact of human error in data breaches, and the importance of monitoring and checking.
Simply having policies and procedures in place is not enough. They must be supplemented by technical controls and regular testing and review, to ensure policies and procedures are being followed, controls are working properly and also to minimise the impact of human error.
An important lesson from this breach is building privacy by design into new projects or any new use of data. When embarking on a project, or a new use, that involves handling of personal information, organisations must consider the potential privacy impacts, and take steps to minimise any potential adverse consequences. Where third parties are to be involved in a project, at a minimum, there should be contractual mechanisms in place to ensure that any personal information shared can only be used for the purpose it was provided (and that it is deleted immediately after this purpose has been served).
Flight Centre’s response to this incident reduced the potential consequences. However, the incident may have been avoided in the first place if greater care had been taken – both with the capturing and retention of personal data and then again prior to the release of the data set as part of the design jam.
Although compliance with privacy obligations can seem an arduous task at times, it is not only a legal obligation, but a crucial step in ensuring the protection of your organisation and the data you hold.
 Flight Centre Travel Group (Privacy)  AICmr 57 (25 November 2020)
 APP guidelines, [B.64] and [6.10]
 Flight Centre Travel Group (Privacy)  AICmr 57 (25 November 2020) at 52 and 55.
 Ibid at 95
 Ibid at 88
 Ibid at 121
Want to receive updates like this in your inbox? Subscribe