02 May 2014

Multicard

The Office of the Australian Information Commissioner has found that Multicard, the company handling the Maritime Security Identification Card (MISC), has been responsible for a data breach, with the personal information of some 9,000 people (including first and last names, date of birth, addresses, partial credit card numbers and expiry dates, and photographs) accessible via a Google search.

Multicard failed to take reasonable steps to ensure the security of data it held and disclosed personal information other than for a permitted purpose.

Problems with the MISC have been noted in this blog over several years. The Card is a border protection mechanism in the form of  a national photo ID card issued to people who have met background checks. It signifies that the holder has met the minimum security requirements necessary to work unescorted or unmonitored in a maritime security zone.

The breach occurred after Multicard stored the information on a publicly accessible web server without appropriate security controls to prevent unauthorised access. The personal information was discoverable via Google search over a four-month period. As a result, unauthorised parties accessed and downloaded the information.

 The OAIC investigation found that Multicard  failed to implement several basic security measures that resulted in a large amount of personal information being exposed. The Privacy Commissioner commented that "It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed."

Multicard "acted appropriately" to contain the data breach by immediately disabling its website and restricting access once the breach was known.

The OAIC has requested that the independent auditor engaged by Multicard certify the company has implemented the planned remediation steps. Multicard is to provide the OAIC with that certification and a copy of the independent auditor's report on its information holdings and security systems by 30 June.

Bodies dealing with the MISC and other border protection cards might be reasonably expected to gain and maintain certification.