The road to a data breach is paved with good intentions

Australia’s largest chain of travel agencies, Flight Centre, was found to have released the personal information of nearly 7,000 customers during a 2017 ‘design jam’ in which it provided the data to 16 teams who were tasked with using it to create innovative solutions for travel agents.

The data was supposed to have been deidentified before distribution, but after 36 hours its personal nature was revealed and the company was eventually referred to the privacy regulator Office of the Australian Information Commissioner (OAIC).

An investigation into the incident, whose results were released this month, found that the company had not taken reasonable steps to implement practices for ensuring compliance with the Australian privacy principles.

Flight Centre had also disclosed the personal information of the individuals without their consent, and it failed to “take reasonable steps to appropriately secure the personal information”, privacy commissioner Angelene Falk said.

“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large data sets will be shared with third-party suppliers for analysis,” she said.

Although Flight Centre had a privacy policy that includes “general statements about disclosing personal information to improve and develop their products,” Falk found that privacy policies are intended as “transparency mechanisms” and are “not sufficiently specific” to be taken as having obtained customers’ consent.

Falk encouraged organisers of data hackathons to carry out privacy impact assessments beforehand “to assist in identifying and addressing all relevant privacy impacts”.

The perils of open data

Data-based hackathons have become increasingly popular in Australia, with the Australian Federal Police recently reprising its National Missing Persons Hackathon after a successful inaugural event in 2019 saw 354 ethical hackers generate 3,912 leads.

Their analysis of open-source intelligence (OSINT), facilitated by authorities eager to help resolve some of the 38,000 missing persons reports submitted to police every year, was run in partnership with Canadian firm Trace Labs—and the more than 500 participants in this year’s sophomore effort continued the tradition.

“OSINT is a force multiplier,” said Chris Poulter, CEO of event sponsor and training provider OSINT Combine. “Using public resources and people in a group setting for a ‘collection activity’ allows the analysts and investigators to spend more time on the critical part of connecting the dots and understanding the picture.”

That project’s use of publicly available information may help it skirt the privacy considerations that put Flight Centre in hot water, but the growing volume of widely available personal information means companies need to be ever vigilant around their use, access to, and storage of personal information.

Digital-government agency Service NSW faced up to this reality a few months ago, after the compromise of an employee’s email account led to the compromise of about 500,000 documents containing personal information related to 180,000 people.

Australia’s Department of Foreign Affairs (DFAT) was forced to apologise in September 2020 after it inadvertently leaked the email addresses of thousands of Australians whom it has been working to help repatriate after being stranded overseas during the COVID-19 pandemic.

Also in September, it was community group Scouts Victoria’s turn as an investigation into a phishing breachrevealed that the breach may have leaked personal information including credit card details, tax file numbers, banking details, driver’s licenses, birth certificates, passports, signatures, and details of sensitive family and other court orders.

Even Transport for NSW, the roads authority in Australia’s most populous state, was facing repercussions after images of more than 54,000 driver’s licenses were found in an unsecured Amazon Web Services (AWS) data folder.

The human factor has increased as a breach risk

The number of data breaches due to human error increased by 7% during the first half of this year to comprise 34% of all breaches, the OAIC has previously reported.

Leakage or loss of personal information remains a significant exposure for companies dealing in ever-increasing volumes of personal information—particularly as the pressures of managing their COVID-19 pandemic response push them to work more quickly than ever.

Likely reflecting this pressure, the number of cases where personal information was sent to the wrong email recipient increased by 42% during the first half of 2020 compared to the second half of 2019.

Contact information, such as email addresses, was the most commonly-breached type of personal information—identity information and financial details were nearly equal in second and third place—with the failure to use the blind carbon copy (BCC) function affecting an average of 486 individuals per breach.

Some 39% of the human-error data breaches involved the sending of personal information to the wrong recipient, while 16% involved the unintended release or publication of personal information. “Organisations should assume that human errors – such as the inadvertent disclosure of personal information to suppliers—could occur and take steps to prevent them,” Falk said.