The Office of the Australian Information Commissioner (OAIC) has published its report of an own motion investigation into Multicard Pty Ltd which it set up in response to information received from the Office of Transport Security (OTS) that personal information of a large number of Multicard applicants was publicly accessible online.
The Commissioner came to the view that Multicard had breached the Privacy Act by failing to take reasonable steps to secure the personal information it held. The Commissioner also found that Multicard had unlawfully disclosed personal information.
Personal information collected by Multicard for the purpose of assessing and granting applications for a Maritime Security Identity Card (MSIC; the MSIC information) was made publicly accessible online.
The following elements led to the data breach:
- Multicard stored information about MSIC applicants in a folder labeled ‘uploads’ (uploads folder) on a publicly accessible web server.
- Multicard stored the MSIC information in randomly named sub-folders in the uploads folder.
- Multicard incorrectly configured the MSIC website to allow directory browsing, including of the uploads folder and its sub-folders.
- Multicard did not configure its website to request search robots not to index the parts of the MSIC website that were not intended to be publicly accessible, including the uploads folder and its sub-folders.
- Google indexed the uploads folder on and from 23 September 2012, making photos of MSIC applicants and other information discoverable via Google search between 23 September 2012 and 16 January 2013 (when Multicard responded to the breach).
The Commissioner found that the steps that Multicard took to contain the breach were appropriate. After being notified of the breach, Multicard temporarily disabled the MSIC website, restricted access to the uploads folder, and requested Google to clear all relevant caches.
However, the Commissioner expressed concerns that Multicard’s initial internal investigation into the breach, and the pace of that investigation, was insufficient.
The OAIC recommends that organisations refer to the Guide to information security which sets out the OAIC’s expectations about what information security measures organisations should be taking.