The road to a data breach is paved with good intentions

Australian travel agent’s woes are a reminder that privacy policies don’t automatically let you share customer data, even for well-intentioned efforts.

cso security hack breach water leak gettyimages 466029458 by firmafotografen 2400x1600px
firmafotografen / Getty Images

Australia’s largest chain of travel agencies, Flight Centre, was found to have released the personal information of nearly 7,000 customers during a 2017 ‘design jam’ in which it provided the data to 16 teams who were tasked with using it to create innovative solutions for travel agents.

The data was supposed to have been deidentified before distribution, but after 36 hours its personal nature was revealed and the company was eventually referred to the privacy regulator Office of the Australian Information Commissioner (OAIC).

An investigation into the incident, whose results were released this month, found that the company had not taken reasonable steps to implement practices for ensuring compliance with the Australian privacy principles.

Flight Centre had also disclosed the personal information of the individuals without their consent, and it failed to “take reasonable steps to appropriately secure the personal information”, privacy commissioner Angelene Falk said.

“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large data sets will be shared with third-party suppliers for analysis,” she said.

To continue reading this article register now

Subscribe today! Get the best in cybersecurity, delivered to your inbox.