12/2/04

"I am disappointed that businesses, covered by the Privacy Act for over 2 years, are still making fundamental errors," said Federal Privacy Commissioner, Malcolm Crompton.

"Some businesses have continued to run web sites that allow anybody to view other customers' personal information by changing numbers in the URL (web site address) of an online service they offer.

"I caution all companies to ensure they are meeting their obligations under the Privacy Act especially when it comes to their on-line activities. There is no longer any excuse for not having privacy built into information technology system re-design and or upgrades," he said.

The Commissioner made his comments while concluding an investigation into a breach of the Privacy Act by Melbourne based Ticketmaster7. The breach centred on the on-line enquiry service offered through their web site.

"While I'm pleased with Ticketmaster7's response time to the privacy breach, I'm disappointed that, 2 years after the introduction of the private sector provisions of the Act, simple security holes in web sites still haven't been fixed," he said.

"I expect all organisations to make sure that they do not include personal information in the URL (web site address) of the on-line services they offer. Nor should it be possible to access somebody else's personal information simply by changing a few numbers or characters in a web site address," said Mr Crompton.

In December last year it came to the Commissioner's attention that the personal information of people contacting Ticketmaster7 was being exposed via their web site.

Due to a coding error on the Ticketmaster7 web site, it was possible to access the personal information of people who had made online enquires of Ticketmaster7 simply by changing the last four digits in the web address.

When people made use of the online enquiry service they were given a unique web site address in order to be able to track the progress of their enquiry. However if the enquirer typed in four different numbers at the end of the web address the details of other Ticketmaster7 enquirers came up. The personal information exposed included: name, phone number and email address of enquirers.

The security hole came to the attention of the Commissioner following a call from an ABC journalist. "Ticketmaster7 is lucky that no complaints regarding the security breach have been made to the Office by Ticketmaster7 customers," said the Commissioner.

Upon hearing of the alleged security hole, the Office began an investigation into the alleged security breach. Once it verified that customer information was indeed vulnerable, the Office contacted Ticketmaster7 to make them aware of the problem. Ticketmaster7 acted immediately by closing down the vulnerable web service.

The Commissioner found that Ticketmaster7 did breach the federal Privacy Act. However, he commended them on their quick response to the privacy breach. He said he was satisfied with the measures that Ticketmaster7 have put in place since the problem was discovered.

In addition to closing down the vulnerable web site service, Ticketmaster7:

• reviewed all on-line functionality on 11 December 2003 and verified that the problem did not affect their other online services such as 'Check My Order' or 'Membership' on-line services;
• undertook to improve its quality management system to address in more detail its information technology systems; and
• reported that the electronic data it holds about individuals is protected from external access with a firewall and that internally, there is restricted access, via password and pin-codes, to the data.

"I urge all organisations to learn from the Ticketmaster7 problems and to make sure that they don't fall into the same trap," said Mr Crompton.

"I will be keeping a close eye on the on-line activities of organisations to ensure that the privacy of their customers is protected.

"I want people to contact my Office if they know of Australian web sites that don't have adequate security measures in place," he said.