This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

Myki / Public Transport Victoria

Summary

Public Transport Victoria suffered a major privacy breach in August 2019 when it released three years' worth of Myki public transport card data to researchers without adequately de-identifying the information. The Victorian privacy watchdog found the release breached privacy laws and put millions of Victorian commuters' personal information at risk, describing it as "shocking". With over 15 million Myki cards issued across Victoria's public transport network, the breach affected a substantial portion of the state's population.

What Happened

Misconfiguration. Public Transport Victoria released detailed travel data from Myki cards covering 2015 to 2018 to university researchers without properly removing identifying information. The dataset included card serial numbers, travel patterns, and times that could be cross-referenced to identify individuals. Privacy experts warned the data could easily be matched with publicly available information to reveal people's home addresses, workplaces, daily routines, and sensitive locations visited such as medical facilities or places of worship. The Victorian privacy commissioner launched an investigation and found PTV had failed to conduct adequate privacy impact assessments before releasing the data.

Impact on Individuals

  • Surveillance Risk: Detailed travel patterns could reveal home and work addresses, daily routines, and sensitive locations visited
  • Re-identification Possible: Although card numbers were hashed, the unique travel patterns could be matched to individuals through publicly available data
  • Privacy Invasion: Three years of commuter movements exposed potential targets for stalking, harassment, or discrimination
  • Vulnerable Groups: Particularly concerning for people visiting domestic violence shelters, addiction treatment centres, or other sensitive locations
  • Permanent Record: Historical travel data cannot be changed or deleted once released to researchers

The Victorian privacy watchdog described the breach as demonstrating concerning attitudes toward privacy in the public sector.

Response

Public Transport Victoria withdrew the dataset and acknowledged the privacy concerns. The Office of the Victorian Information Commissioner conducted a formal investigation and issued a determination finding PTV had breached the Privacy and Data Protection Act 2014. The investigation found PTV had failed to conduct adequate privacy impact assessments and had not properly de-identified the data before release. PTV committed to implementing stronger privacy protections, mandatory privacy impact assessments for future data releases, and improved staff training on data protection obligations. The incident prompted wider questions about government agencies' handling of sensitive transport and movement data. +++

Verification Source: View original statement