Global ID card supplier Multicard’s decision to store the personal information of 9000 Australian Maritime Security Identify Card applicants on a publicly accessible Web server was a breach of the Privacy Act, Australian Privacy Commissioner Timothy Pilgrim said today.
The Maritime Security Identity Card scheme is used to identify people who have been subjected to background checks.
Pilgrim launched the own notion investigation in February 2013 after it emerged that the 9000 applicant’s details-- including names, dates of birth, addresses, partial credit card numbers and photos-- were discoverable online for four months using a Google search.
As a result, he said that unauthorised parties accessed and downloaded the applicant’s details.
- ACCC apologises after exposing email addresses
- Mandatory data breach notification back on government agenda
- OAIC releases privacy impact assessment guide for consultation
Read more: NSW government adds to ICT advisory panel
Multicard "failed to take reasonable steps" to ensure the security of the personal information it held, and was found to have disclosed personal information other than for a permitted purpose, Pilgrim said in a statement.
His investigation found that Multicard failed to implement a number of basic security measures which resulted in a large amount of personal information being exposed.
For example, he said it was disappointing to find that there was "no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed."
“This was a data breach that could have easily been avoided,” Pilgrim said.
However, he added that that Multicard “acted appropriately” to contain the data breach by immediately disabling its website and restricting access.
Since the data breach, he said that the company has appointed an independent auditor and taken a “number of steps” to improve its information security.
As part of Pilgrim’s ruling, Multicard must certify that it has implemented the remediation steps. It must also provide certification and a copy of the independent auditor’s report on Multicard’s information holdings and security systems to Pilgrim by 30 June 2014.
Follow Hamish Barwick on Twitter: @HamishBarwick