Transport NSW: No Data at RiskSuspected Breach Turned Out to be Database Hiccup
A suspected breach of credit card and personal data from a train ticket booking system has turned out to be simply an irregularity in a database, the transport agency for the Australia state of News South Wales says.
A spokesman for Transport NSW says it appears that credit card and personal information was not exposed for the TrainLink reservations system.
Transport NSW said on May 27 it shut down the TrainLink online booking system after a database appeared to have been compromised. At the time, it said credit card data was not at risk (see NSW Transport Breach: Account Data at Risk).
But a day later it warned some limited payment card data was exposed and could be used for fraud.
In a statement on June 2, however, Transport NSW said that financial institutions have now confirmed that there have been no reports of unauthorized transactions.
The investigation, which involved AusCERT and NSW transport police, "suggests that NSW TrainLink's security systems were successful in preventing attempts at unauthorized access to the reservation database," according to the statement.
TrainLink remains offline, the spokesman says. It was taken offline following the suspected breach, but administrators decided to keep it offline to move forward with a long-planned upgrade of the reservations system.
The upgrade, which has been planned for 18 months, is not related to the recent security issue, he says. The reservations system had been scheduled to be taken offline this month, but rather than inconvenience customers twice, the agency decided to move ahead with the project now.
After the suspected breach was detected, the agency notified the state's Information and Privacy Commission and said it would reach out to affected customers.
Australia does not have a mandatory data breach notification law, but the country has developed draft legislation (see Australia, New Zealand Still Mulling Data Breach Laws). A public consultation on the draft bill ended in March. No action will happen until after Australia's federal election on July 2.
The Office of the Information Commissioner recommends that organizations voluntarily report data breaches to it and affected customers if there appears to be a serious risk of harm, according to guidelines.