The Australian Privacy Commissioner Timothy Pilgrim has found Multicard Pty Ltd breached the Privacy Act 1988 by making the personal information of approximately 9,000 Maritime Security Identity Card (MSIC) applicants available online.

Multicard failed to take reasonable steps to ensure the security of the personal information it held, and was found to have disclosed personal information other than for a permitted purpose.

The data breach occurred after Multicard stored the personal information on a publically accessible web server without appropriate security controls to prevent unauthorised access. The personal information was discoverable via Google search over a four month period. As a result, unauthorised parties accessed and downloaded the information.

'The OAIC's investigation found that Multicard failed to implement a number of basic security measures which resulted in a large amount of personal information being exposed. This was a data breach that could have easily been avoided.' Timothy Pilgrim said.

The data breach resulted in personal information, including first and last names, dates of birth, addresses, partial credit card numbers and expiry dates and photographs being made publicly accessible online.

'I urge all organisations to carefully consider what security safeguards they have in place to protect the personal information they hold. It was disappointing to find that, amongst other issues, there was no requirement for a password, username or other authenticator to establish the identity of the user before the information could be accessed.'

However, the Commissioner found that Multicard acted appropriately to contain the data breach by immediately disabling its website and restricting access. Since the data breach, Multicard has appointed an independent auditor and taken a number of steps to improve its information security.

The Commissioner has requested that the independent auditor engaged by Multicard certify Multicard has implemented the planned remediation steps, and provide to the OAIC the certification and a copy of the independent auditor's report on Multicard's information holdings and security systems by 30 June 2014.

The full investigation report can be found here:

The OAIC recommends that organisations refer to the Guide to information security. The Guide is not binding but sets out the OAIC's expectations about what information security measures organisations should be taking.

In view of the recent development with the 988 Visa issue, we have also been alerted that Multicard own, a Pilipino site advertising MSIC cards.

The AMOU suggests that Members should be cautious in who they select to renew their MISC. Just yet another example of why the Government should not outsource certain functions of Government.

Jan Thompson

Industrial Officer

Australian Maritime Officers Union

194 Drummond Street Carlton 3054

Ph: 03 9663 6702, Mob: 0417 050 816