The Australian Information Commissioner and Privacy Commissioner Angelene Falk has handed down a determination that Flight Centre breached the privacy of 6,918 customers when it held its "design jam" event across the weekend of March 24 to March 26 in 2017.
On the first day of the event, Flight Centre handed a data set containing production data from the 2015 and 2016 calendar years to the 16 teams competing in the event, which consisted of 90 people in total.
The data set had 106 million rows of data, with the company believing it had obfuscated personal information of its customers, leaving only the customer's year of birth, postcode, gender, and booking information. In the determination[1] made by Falk, Flight Centre had its business intelligence and Australian infosec teams, as well as event coordinators review the first 1,000 rows of data to confirm there was no sensitive information in the file.
However, 36 hours after the event had begun, a free text field under a column called "ProductName" was found by one of the participants to contain credit card information.
Flight Centre then reviewed the file and found it contained 4,011 credit cards and 5,092 passport numbers affecting 6,918 people, as well as 475 usernames and passwords to mostly vendor portals. 757 dates of birth were also identified.
Upon learning of the breach, the company prevented access to the file and truncated the column to 10 characters, received verbal confirmation from participants that they had destroyed all copies of the file, and began a post-incident review. Those who had their payment or passport details breached were notified by the company, offered free identity theft and credit monitoring coverage for a year, and Flight Centre coughed up for the cost of replacing passports when