1 Feb 2010, 09:00

A customer purchased travel related services from a company. The company sent him an email with a link to his booking details on its website. The customer noticed that the website url link ended with his booking number. He observed that by changing the booking number, he could view booking details for other customers. He realised that other individuals would also be able to view his booking information.

The booking details included personal information about customers like:

• Name
• Address
• Phone number
• Email address
• Vehicle registration
• Travel dates

The customer was concerned about this information being disclosed. He contacted the company asking it to secure his personal information on its website, but it did not respond. He then complained to us.

Principle 5

Principle 5 expects agencies to have reasonable security safeguards to protect personal information against loss, inappropriate access, use, modification or disclosure, or other misuse.

Agencies making personal information available to customers via a website must have reasonable safeguards to prevent that information from being accessed by others.

We contacted the company to ask about its security safeguards for customer information on its website. The company agreed that the website needed additional security.

The company referred the issue to its website provider, who immediately updated the website to protect booking details.

The company also introduced a new process where access to booking details on its website would be achieved only through a link emailed to each customer.

The customer was satisfied with this result, and we closed our file.

September 2010

Security of personal information - private sector agency - customer booking information not secured on website - settlement - Privacy Act 1993; principle 5