Data breaches at Flight Centre and elsewhere…the excuse “Human Error” seems to be more acceptable than system faults..really?
July 15, 2017 |
The passport details of Flight Centre customers have been released to third parties who were working with Flight Centre in developing business products. The extent of the breach, in terms of numbers of passport holders personal information being leaked and what exactly was released to the unauthorised party, has not been disclosed. That level of opaqueness in notification tends to be typical in Australia but much less so in the United Kingdom and the United States. Curiously the Flight Centre stresses that human error, rather than a systems failure, was the cause of the breach. As if that makes it better or less serious. The Privacy Act does not make such a distinction. For some reason it seems to be an increasingly common part of an explanation for a breach. As likely as not that is the inspiration of a PR flack who may hope that a human error happens only rarely whereas a systems error can happen all the time. This seems to be the approach taken when Norther Territory officials claimed that the data breach involving Dylan Voller’s confidential files were dumped at the Alice Springs Tip shop. In that case the variation on the human error excuse was that it was an accident. It is falacious to think that human error is less egregious than a systems error. Human error is responsible for many breaches, often as a consequence of inadequate training and poor protocols. In terms of attacking a system hackers who are motivated by money no longer prefer to attack a cyber defence head on looking for weaknesses but rather use social engineering to obtain access to a system, then escalating privileges and then accessing data. The human error that leads to such a breach is almost invariably due to poor privacy practices.
The ABC report provides:
Travel agency Flight Centre has mistakenly released the personal information of some of its customers to “third-party suppliers”, in an incident it describes as human error rather than a security breach.
The ABC understands the leaked information included passport details.
Flight Centre would not say how many customers had been affected and would not clarify what information was released.
A company spokesman said they had acted quickly to contain the information when it became aware of the issue.
“We also sought and received assurances from the suppliers that they did not retain copies,” the spokesman said in a statement.
He said the company had contacted affected customers.
“While we believe the risk that this information will be misused is relatively low given the circumstances, we chose to inform the affected customers so they could take additional precautions if they considered it appropriate,” the spokesman said.
“The steps people should take have been outlined in the letters they have received.”
Customer Nikki Racco has told the ABC she received a letter from Flight Centre.
“[The letter told] me they had mistakenly made some customers’ details available to a third party, which included revealing our passport numbers,” she said.
“[I] am absolutely dismayed that once again we are ‘forced’ to provide this information as part of a service and yet there can no longer be any expectation that this information can be kept safe.”
[…] Data breaches at Flight Centre and elsewhere…the excuse “Human Error” seems to be more accepta… […]