Real Customer Details Were Used as Sample Data in Hackathon

• A 2017 hackathon organized by Flight Centre ended in a data breach, affecting thousands of customers.
• The organizers weren’t careful enough with the obfuscation of the data and missed some cleartext details.
• The Australian Information Commissioner has decided to go easy on the firm and just published the findings.

According to a report by the Australian Information Commissioner, Angelene Falk, the Flight Centre Travel Group exposed at least 6,918 individuals about three years ago when they organized a hackathon using real customer data. The event was called “Design Jam,” and the organizers’ purpose was to set up a creative platform for sixteen teams comprising 90 individuals to develop new technological solutions for travel and customer support agents.

For some reason, probably due to extreme negligence, the organizers used real customer data for the event to give the participants a rich dataset to work with. That was 28 million rows of data corresponding to 6,121,565 customers. The identification and sensitive details were supposed to be obfuscated, and most were, but not all. For 36 hours, the event participants had access to the following details:

• 4,011 credit card details
• 5,092 passport numbers
• 475 usernames and passwords
• 757 dates of birth

When the organizers realized the blunder, they tried to remedy the situation by closing down access to the set and destroying all data copies. They deduced that the incident was “low risk” since the participants didn’t have malicious intent, and the breach wasn’t the result of a hack. The Flight Centre staff had reviewed the top 1,000 rows and found that everything was obfuscated before they opened access to the dataset, which was their explanation on how this happened.

Even if this is an acceptable and reasonable explanation, the fact that the company was collecting and reusing customer data without having a proper consent mechanism in place highlights yet another grave violation. The privacy policy of Flight Centre had no point that specifically asked people’s consent to use their personal information for the development of products, and this was confirmed in the commissioner's report.

Still, though, the commissioner doesn’t feel the need to punish the company any further now and mentioned a couple of alleviating points. First and foremost, COVID-19 has had a dire impact on Flight Centre’s business, so fining them now will merely endanger job positions. Secondly, the company covered the passport replacement costs ($68,500) and also an amount for credit monitoring services. And thirdly, the firm worked closely with the commissioner in this, providing candid responses and trying to hide nothing.