book a virtual meeting Search Search
brisbane

level 16, 324 queen st,
brisbane qld 4000
+61 7 3235 0400

dandenong

40-42 scott st,
dandenong vic 3175
+61 3 9794 2600

melbourne

level 7, 600 bourke st,
melbourne vic 3000
+61 3 8615 9900

sydney

level 21, 20 bond st,
sydney nsw 2000
+61 2 8298 9533

hello. we’re glad you’re
getting in touch.

Fill in form below, or simply call us on 1800 888 966

Trouble in paradise for Flight Centre – make sure your business correctly handles customer information

05 March 2021
sara demetrios
Read Time 3 mins reading time

Late last year the Office of the Australian Information Commissioner (OAIC) determined that Flight Centre Travel Group Ltd (Flight Centre) failed to comply with Australian privacy laws.

what led to the data breach?

In 2017 Flight Centre hosted a three-day “design jam” event, aimed at creating “technical solutions for travel agents to better support customer during the sales process”.

During the event, the participants were provided with access to a dataset which contained 106 million rows of data, which Flight Centre believed had been deidentified to only show customers’ postcodes, gender, birth year and booking information.

However, it was later identified that personal information (such as individual customer records, credit card and passport details) of approximately 6,918 customers was leaked.

how the data breach was found and what steps did Flight Centre take?

After 36 hours of the event being live, Flight Centre became aware of the privacy issue. A participant highlighted that all participants had access to identifiable personal customer information within the data set provided.

To address the major breach, Flight Centre:

  • removed all access to personal data, within 30 minutes of becoming aware;
  • requested and obtained confirmation from all participants that all copies of the data had been destroyed;
  • undertook a business impact assessment and risk assessment, which determined the incident as low risk;
  • notified customers who had any data leaked and offered free identify theft and credit coverage for the following 12-month period;
  • paid at least $68,500 to replace passports; and
  • cooperated with the ensuing investigation.

the outcome

It was determined that Flight Centre breached the Australian Privacy Principles by:

  • not taking reasonable steps to implement practises to ensure compliance with the APPs;
  • disclosing individuals’ personal information without consent; and
  • failing to take reasonable steps to appropriately secure the personal information.

The OAIC also found that while Flight Centre had a privacy policy, its general statements regarding information disclosure were not specific enough to amount to the customers providing consent for their information to be passed onto third parties.

Ultimately, with significant weight placed on the remedial actions Flight Centre undertook and the fact Flight Centre has not been involved in further similar data breach incidents, the OAIC determined that no further action was necessary.

does this determination impact your business?

Yes, absolutely – as stated by Commissioner Falk:

This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis.”

Practically, this means that Australian businesses should avoid interfering with customers’ personal information by:

  • properly understanding your obligations under Australian privacy laws;
  • proactively implement and update data management systems;
  • ensure privacy policies are drafted in a specific manner, yet not purely relied upon without obtaining further consent in relation to personal information handling; and
  • act promptly if any privacy breach is notified.

we are here to help

If you are unsure about what privacy compliance obligations apply to your business or have any question regarding the above, please contact a member of the Macpherson Kelley Trade Team.

stay up to date with our news & insights

Trouble in paradise for Flight Centre – make sure your business correctly handles customer information

05 March 2021
sara demetrios

Late last year the Office of the Australian Information Commissioner (OAIC) determined that Flight Centre Travel Group Ltd (Flight Centre) failed to comply with Australian privacy laws.

what led to the data breach?

In 2017 Flight Centre hosted a three-day “design jam” event, aimed at creating “technical solutions for travel agents to better support customer during the sales process”.

During the event, the participants were provided with access to a dataset which contained 106 million rows of data, which Flight Centre believed had been deidentified to only show customers’ postcodes, gender, birth year and booking information.

However, it was later identified that personal information (such as individual customer records, credit card and passport details) of approximately 6,918 customers was leaked.

how the data breach was found and what steps did Flight Centre take?

After 36 hours of the event being live, Flight Centre became aware of the privacy issue. A participant highlighted that all participants had access to identifiable personal customer information within the data set provided.

To address the major breach, Flight Centre:

  • removed all access to personal data, within 30 minutes of becoming aware;
  • requested and obtained confirmation from all participants that all copies of the data had been destroyed;
  • undertook a business impact assessment and risk assessment, which determined the incident as low risk;
  • notified customers who had any data leaked and offered free identify theft and credit coverage for the following 12-month period;
  • paid at least $68,500 to replace passports; and
  • cooperated with the ensuing investigation.

the outcome

It was determined that Flight Centre breached the Australian Privacy Principles by:

  • not taking reasonable steps to implement practises to ensure compliance with the APPs;
  • disclosing individuals’ personal information without consent; and
  • failing to take reasonable steps to appropriately secure the personal information.

The OAIC also found that while Flight Centre had a privacy policy, its general statements regarding information disclosure were not specific enough to amount to the customers providing consent for their information to be passed onto third parties.

Ultimately, with significant weight placed on the remedial actions Flight Centre undertook and the fact Flight Centre has not been involved in further similar data breach incidents, the OAIC determined that no further action was necessary.

does this determination impact your business?

Yes, absolutely – as stated by Commissioner Falk:

This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis.”

Practically, this means that Australian businesses should avoid interfering with customers’ personal information by:

  • properly understanding your obligations under Australian privacy laws;
  • proactively implement and update data management systems;
  • ensure privacy policies are drafted in a specific manner, yet not purely relied upon without obtaining further consent in relation to personal information handling; and
  • act promptly if any privacy breach is notified.

we are here to help

If you are unsure about what privacy compliance obligations apply to your business or have any question regarding the above, please contact a member of the Macpherson Kelley Trade Team.