This article is more than 1 year old

Travel agent leaked customer data by – this is embarrassing – giving it away in a hackathon

Bad design bites as Flight Centre's policy of no credit card or passport numbers in app's free text field was not enforced, therefore ignored

Be careful what you wish for when running a hackathon, because one in Australia turned up a data breach in the trove of sample data offered to hackers. And it was probably developers’ fault.

The event in question was staged by global travel agency outfit The Flight Centre Group, which in March 2017 staged an event called a “design jam” for its Australian operations. The event aimed to “create technological solutions for travel agents to better support customers during the sales process.”

16 teams collectively comprising 90 people signed up and were given access to a dataset containing 106 million rows of data and containing 6,121,565 individual customer records.

Flight Centre thought it had cleaned that dataset so that design jammers could see year of birth, postcode, gender and booking information, but no personal information. And to make sure that was the case, Flight Centre had someone review “a top 1,000 row sample of each Data File within the Dataset”.

But each file was 28 million rows deep and as the design jam participants worked their way into the dataset, one noticed credit card numbers in a free text field.


Go ahead, stage a hackathon. But pray it doesn't work too well


To its credit, within 30 minutes of learning about the breach, Flight Centre restricted access to the data to design jam participants. Less responsibly, it restored access but with the free text field restricted to ten characters.

A ruling regarding the incident by Australian Information Commissioner Angelene Falk found that poor design of, and abuse of, the free text field was the culprit. The report was spotted by

Poor design of the field was in evidence because the free text field did not exclude data such as credit card and passport numbers, despite the existence of policies that instructed workers not to use the field for such purposes. Some workers had clearly not followed those policies.

The result was that 0.025 per cent of records in the design jam data contained personal information.

Falk noted that Flight Centre contacted as many of the impacted customers as it was able to and volunteered to pay for new passports, conducted credit card fraud monitoring and generally did all it could to make good after the incident. So it got off with being told to tighten up its databases and policies, a tongue-lashing, and being told not to let this happen again or else.

Flight Centre no longer runs hackathons. ®

More about


Send us news

Other stories you might like