Skip to main content

Flight Center leaks customer data in an incredibly stupid way

Data Breach
(Image credit: Shutterstock)

Flight Center has confirmed that a significant data breach that occurred in 2017 was the result of sensitive information being left in a database given to hackathon participants. The compromised data included credit card numbers and passport details.

In March 2017, Flight Center organized a “design jam” for 16 hackathon teams, handing over 106 million rows of data containing 6,121,565 individual customer records. The travel company believed that the data had been purged of sensitive information, with only customers’ postcode, gender, and booking information supposed to be included.

Unfortunately, the data, which was 28 million rows deep, did contain the sort of information that Flight Center customers would rather have remained private. Hackathon participants found that 4,011 credit cards and 5,092 passport numbers belonging to 6,918 individuals were stored in free text fields.

Lessons to be learned

“The storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” Australian Information Commissioner and Privacy Commissioner Angelene Falk explained in a recent legal determination.

Flight Center informed the relevant customers that their personal information had been compromised and conducted a post-incident review to assess the long-term business impact and follow-up risks. A remediation plan suggested the scanning of respondent’s systems to identify and remove all instances of incorrectly stored data, updating the company’s privacy policy, and engaging a third party threat intelligence specialist to monitor social media and the dark web, to ascertain if the leaked data had been published anywhere.

Currently, there is no evidence that data compromised by the hackathon was posted online but the incident remains an embarrassing one for Flight Center. Unsurprisingly, the hackathon remains the only one the company has run to date.

Via The Register