Flight Centre

Flight Centre disclosed in December 2020 that a 2017 data breach during an internal hackathon had exposed 6,918 customers' personal information, with an OAIC investigation finding the company breached multiple privacy principles.

What Happened

In 2017, Flight Centre held an internal hackathon where staff were given access to customer data for development purposes. The event resulted in customer information including names, email addresses, phone numbers, passport details, and booking information being exposed to staff who should not have had access.

The breach occurred due to inadequate access controls and failure to de-identify or anonymise data before providing it for the hackathon. Staff participating in the development event were able to view real customer records rather than sanitised test data.

The breach wasn't publicly disclosed until December 2020 when the OAIC's investigation findings were released, more than three years after the incident.

Impact on Individuals

The 6,918 affected customers had their personal and travel information exposed to unauthorised Flight Centre staff. The exposure of passport details created identity theft risks, while travel booking information revealed personal movements and travel patterns.

Organisational Response

The OAIC investigation found Flight Centre breached Australian Privacy Principles relating to security of personal information, use and disclosure, and notification obligations. Flight Centre accepted the findings and entered into an enforceable undertaking to improve privacy practices, implement staff training, and enhance data security controls. The incident became a case study in the importance of data minimisation and proper access controls, even for internal business purposes.