This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Aussie Travel Cover

Summary

Aussie Travel Cover, a travel insurance provider, suffered a data breach when a teenage hacker stole two databases containing over 870,000 customer records. The company was notified on 18 December 2014 but controversially chose not to inform affected policyholders, notifying only the third-party agents who sold the policies.

What Happened

A Queensland teenager using the online alias "Abdilo" claimed responsibility for hacking Aussie Travel Cover's systems and stealing large amounts of customer personal information. The attacker posted the stolen databases on a website and announced the breach on Twitter.

The compromised data included customer names, phone numbers, email addresses, travel dates and policy costs. Abdilo told media he hacked the travel insurance company "because he was bored". The stolen information was posted publicly online before being taken down.

Aussie Travel Cover learned of the breach on 18 December 2014 and informed third-party agents who sell Aussie Travel Cover policies five days later on 23 December. However, the company made the controversial decision not to notify the hundreds of thousands of potentially affected policyholders directly, telling agents that "at this stage, there is no reason to advise policyholders".

Impact on Individuals

Over 870,000 customers had personal information exposed, creating risks including:

  • Targeted travel scams: Knowledge of travel dates and destinations enabled sophisticated fraud attempts
  • Phishing attacks: Email addresses and phone numbers combined with travel information allowed convincing impersonation of the insurer or travel companies
  • Identity fraud: Names, dates of birth and contact details provided building blocks for identity theft
  • Spam and marketing abuse: Contact information could be added to databases or sold to third parties

The decision not to notify affected customers meant policyholders were unaware they needed to be vigilant against potential scams using their stolen information.

Organisational Response

Aussie Travel Cover contacted the Australian Federal Police about the breach after both Queensland and NSW police forces declined to investigate the matter. The company notified its third-party agents but explicitly advised them not to inform policyholders, stating there was no reason to advise customers at that stage.

This non-disclosure approach drew criticism from privacy advocates and highlighted gaps in Australia's breach notification requirements, as mandatory breach notification laws were not yet in effect at the time. The incident occurred during the period when breach notification was voluntary rather than legally required, allowing companies to make their own judgement about whether to inform affected individuals.

Verification Source: View original statement