NSW Transport Breach: Account Data at RiskBreach Affected Database Used to Book Train Tickets
A breach of an online service used by travelers to book train tickets in the Australian state of New South Wales appears to be more serious than first reported.
Transport NSW is warning those who used the booking system for TrainLink services to watch their accounts because exposed personal and payment card data could be utilized for fraud.
On May 27, Transport NSW said it shut down the online reservations system after a database had been compromised. The agency said the booking system did not contain enough credit card data to be used for transactions.
But police have now advised that "there is a risk that the limited credit card information in the compromised database could, in some circumstances, be used," NSW said in an updated statement.
A spokesman for Transport NSW says the agency did not have a further comment because it is still evaluating the scope of the breach. The online reservations system remained offline on May 23.
The state's Information and Privacy Commission has been notified, and affected customers will be contacted, the agency said.
NSW Privacy Commissioner Elizabeth Coombs said in a phone interview May 23 that it is important to wait until more evidence comes from the investigation so people are not unduly alarmed. "It is important that citizens and customers of that reservation system have the confidence when they provide personal information that it will be protected," she said.
When contacted by an organization, the NSW Information and Privacy Commission asks about the size and nature of a breach, how long it has been known about and how they will notify those affected. "It's really important to think how do we prevent such incidents in the future," Coombs said.
Australia does not yet have a law requiring organizations to notify victims of data breaches or regulators (see Australia, New Zealand Still Mulling Data Breach Laws). It does, however, have a draft bill in the works, but action on it will not happen until after the country holds a federal election on July 2.
Under current guidelines, the Office of the Australian Information Commissioner encourages disclosure when there is a "serious risk of harm."
Scope of Incident Unclear
Transport NSW did not say how many customers are affected. The database containing the credit card information is separate from a system used to process transactions.
The breach did not affect the Opal card, which is the near-field communication transport card used in the state. "Opal customers can be reassured that Opal data is kept on a separate system and has not been compromised," the agency said.
Transport NSW police are working the case. The agency has also called in AusCERT, the not-for-profit cyber emergency response team that is based at the University of Queensland.
AusCERT has a service called the Flying Squad, which is a crack team of experts dispatched onsite that helps AusCERT members plan a strategy after a data breach.