Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Multicard Pty Ltd breaches Privacy Act

The Australian Privacy Commissioner Timothy Pilgrim has found Multicard Pty Ltd breached the Privacy Act 1988 by making the personal information of approximately 9,000 Maritime Security Identity Card (MSIC) applicants available online.

Multicard failed to take reasonable steps to ensure the security of the personal information it held, and was found to have disclosed personal information other than for a permitted purpose.

The data breach occurred after Multicard stored the personal information on a publically accessible web server without appropriate security controls to prevent unauthorised access. The personal information was discoverable via Google search over a four month period. As a result, unauthorised parties accessed and downloaded the information.

‘The OAIC’s investigation found that Multicard failed to implement a number of basic security measures which resulted in a large amount of personal information being exposed. This was a data breach that could have easily been avoided.’ Timothy Pilgrim said.

The data breach resulted in personal information, including first and last names, dates of birth, addresses, partial credit card numbers and expiry dates and photographs being made publicly accessible online.

‘I urge all organisations to carefully consider what security safeguards they have in place to protect the personal information they hold. It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed.’

However, the Commissioner found that Multicard acted appropriately to contain the data breach by immediately disabling its website and restricting access. Since the data breach, Multicard has appointed an independent auditor and taken a number of steps to improve its information security.

The Commissioner has requested that the independent auditor engaged by Multicard certify Multicard has implemented the planned remediation steps, and provide to the OAIC the certification and a copy of the independent auditor’s report on Multicard’s information holdings and security systems by 30 June 2014.

For interview requests please contact:     Ms Leila Daniels     0407 663 968     media@oaic.gov.au

Notes for editors

The full investigation report can be found here: http://www.oaic.gov.au/privacy/applying-privacy-law/commissioner-initiated-investigation-reports/multicard-omi

The OAIC recommends that organisations refer to the Guide to information security. The Guide is not binding but sets out the OAIC’s expectations about what information security measures organisations should be taking.

Privacy Awareness Week will be held next week from 4–10 May 2014. This is the primary privacy awareness and education event in the Asia Pacific region. For more information see http://www.oaic.gov.au/news-and-events/privacy-awareness-week-2014/