Flight Center leaks customer data in an incredibly stupid way

News
By published

Sensitive data was handed over to hackathon participants

Data Breach
(Image credit: Shutterstock)

Flight Center has confirmed that a significant data breach that occurred in 2017 was the result of sensitive information being left in a database given to hackathon participants. The compromised data included credit card numbers and passport details.

In March 2017, Flight Center organized a “design jam” for 16 hackathon teams, handing over 106 million rows of data containing 6,121,565 individual customer records. The travel company believed that the data had been purged of sensitive information, with only customers’ postcode, gender, and booking information supposed to be included.

Unfortunately, the data, which was 28 million rows deep, did contain the sort of information that Flight Center customers would rather have remained private. Hackathon participants found that 4,011 credit cards and 5,092 passport numbers belonging to 6,918 individuals were stored in free text fields.

Lessons to be learned

“The storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” Australian Information Commissioner and Privacy Commissioner Angelene Falk explained in a recent legal determination.

Flight Center informed the relevant customers that their personal information had been compromised and conducted a post-incident review to assess the long-term business impact and follow-up risks. A remediation plan suggested the scanning of respondent’s systems to identify and remove all instances of incorrectly stored data, updating the company’s privacy policy, and engaging a third party threat intelligence specialist to monitor social media and the dark web, to ascertain if the leaked data had been published anywhere.

Currently, there is no evidence that data compromised by the hackathon was posted online but the incident remains an embarrassing one for Flight Center. Unsurprisingly, the hackathon remains the only one the company has run to date.

Via The Register

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
China
Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
Abstract image of robots working in an office environment including creating blueprint of robot arm, making a phone call, and typing on a keyboard
This worrying botnet targets unsecure TP-Link routers - thousands of devices already hacked
Avast cybersecurity
UK cybersecurity sector could be worth £13bn, research shows
An option to add Ambient Music buttons to the iOS 18.4 Control Center.
Apple fixes dangerous zero-day used in attacks against iPhones and iPads
Trump
Hackers are abusing $TRUMP tokens to lure victims in to new phishing scam
Latest in News
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Two Android phones on a green and blue background showing Google Messages
Struggling with slow Google Messages photo transfers? Google says new update will make 'noticeable difference'
China
Chinese hackers targeting Juniper Networks routers, so patch now
More about security
China

Chinese hackers targeting Juniper Networks routers, so patch now
Google Chrome dark mode

Google updates Chrome extension rules to ban affiliate link injection without user action or benefit
ThreatLocker CEO Danny Jenkins speaking at ZTW25

“It’s made our jobs harder, not easier” - ThreatLocker CEO Danny Jenkins on AI
See more latest
Most Popular
Lilo & Stitch Official Trailer
Stitch crashes into earth and steals our hearts with the first trailer for the live-action Lilo & Stitch
Y2K cast looking shocked
Y2K has a streaming release date on Max, so you can witness the technology uprising at home
China
Chinese hackers targeting Juniper Networks routers, so patch now
GTA 5
GTA Online publisher Take-Two is gunning for a black market that’s basically heaven for cheaters
Bolt Zeus 2c26-032 PCIe card
This GPU vendor I've never heard of claims its card is 10x faster than an Nvidia RTX 5090 at real time path tracing
Google Meet create custom backgrounds
More AI features are coming to Google Workspace
A mockup of the possible Apple M3 Ultra logo
Performance isn't the only reason you should buy Apple's M3 Ultra Mac Studio - it's reportedly one of the most power-efficient processors too
The Discovery+ homepage
Discovery+ just got a big update to its streaming app that makes it more like Max – here are 5 great new features to try
Apple products all showing different versions of the Apple Photos app
Apple Photos could actually win you over in iOS 18.4 – here are 4 improvements that are coming
Google Chrome dark mode
Google updates Chrome extension rules to ban affiliate link injection without user action or benefit