Flight Center leaks customer data in an incredibly stupid way

News
By published

Sensitive data was handed over to hackathon participants

Data Breach
(Image credit: Shutterstock)

Flight Center has confirmed that a significant data breach that occurred in 2017 was the result of sensitive information being left in a database given to hackathon participants. The compromised data included credit card numbers and passport details.

In March 2017, Flight Center organized a “design jam” for 16 hackathon teams, handing over 106 million rows of data containing 6,121,565 individual customer records. The travel company believed that the data had been purged of sensitive information, with only customers’ postcode, gender, and booking information supposed to be included.

Unfortunately, the data, which was 28 million rows deep, did contain the sort of information that Flight Center customers would rather have remained private. Hackathon participants found that 4,011 credit cards and 5,092 passport numbers belonging to 6,918 individuals were stored in free text fields.

Lessons to be learned

“The storage of passport information and credit card details in a free text field (in a manner inconsistent with applicable policies), and the absence of technical controls to prevent or detect such incorrect storage, caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” Australian Information Commissioner and Privacy Commissioner Angelene Falk explained in a recent legal determination.

Flight Center informed the relevant customers that their personal information had been compromised and conducted a post-incident review to assess the long-term business impact and follow-up risks. A remediation plan suggested the scanning of respondent’s systems to identify and remove all instances of incorrectly stored data, updating the company’s privacy policy, and engaging a third party threat intelligence specialist to monitor social media and the dark web, to ascertain if the leaked data had been published anywhere.

Currently, there is no evidence that data compromised by the hackathon was posted online but the incident remains an embarrassing one for Flight Center. Unsurprisingly, the hackathon remains the only one the company has run to date.

Via The Register

Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
More about security
cybersecurity

Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak

A major Keenetic router data leak could put a million households at risk
Proton CEO and founder Andy Yen poses next to the Proton logo at the headquarters of the encrypted email and VPN services company in Geneva.

Encryption backdoors: privacy can be misused, "but the cost of a world without is so much higher."
See more latest
Most Popular
Nimo N172 laptop
This obscure laptop brand sells a 64GB AMD Ryzen 9 laptop for just over $700 which is faster than the Apple's M4 CPU
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Student with headphones around her neck using a phone while sitting in a cafe in front of a laptop
One of the richest men in the world castigates the billions of dollars spent on buying laptops for US classrooms with no apparent improvements
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring
Tesla Model Y 2025
Tesla’s EU sales are in freefall as VW races ahead, but the Model Y could change all that
Asus NUC 15 Pro+
Asus unveils its most powerful mini PC to date — but I don't think the Intel-powered NUC 15 Pro+ will compete with Strix Halo models
HDD
Seagate teams with Nvidia to build an NVMe hard drive proof of concept, more than 3 years after its last effort
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
NetSuite EVP Evan Goldberg at SuiteConnect London 2025
"It's our job to deliver constant innovation” - NetSuite head on why it wants to be the operating system for your whole business
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event