OVIC Finds PTV in Violation of Privacy and Data Protection Act 2014 in myki Records Disclosure

The Office of the Victorian Information Commissioner (OVIC) has determined that the Public Transport Victoria (PTV, also known as Victorian Department of Transport) breached the Information Privacy Principle (IPP) under the Privacy and Data Protection Act 2014 (PDP Act). The decision came after the PTV released data in 2018 that exposed more than 15 million myki cards’ “touch on” and “touch off” travel history data, which could be used to identify specific users.

myki is a reloadable smart card used to pay for fares on a number of public transport services in Victoria, Australia. The affected data amounts to around 1.8 million events, comprising three years of data points that include card identifiers, location information, date, and time.

According to the report, PTV disclosed the myki records to Data Science Melbourne in 2018 at the request of the Department of Premier and Cabinet (DPC) to support the Datathon, a competition to find innovative uses for a dataset. PTV took steps to anonymize the records following their Privacy Impact Assessment (PIA) conduct before releasing the data via DPC’s DataVic, the government’s open data platform.

During the competition’s run from July to September, a participant began raising concerns that the dataset could be used to re-identify the cards’ owners. Separately, researchers from University of Melbourne were able to identify themselves and known associates from an unrestricted dataset online via an Amazon S3 bucket. They have published and submitted their findings to OVIC.

[Read: Canada to impose own data breach notification regulations]

PTV disagrees with the OVIC’s assessment, claiming that the data is not considered personal as the dataset pertained to information of the cards and not the individual. They added that myki cards can be used by multiple persons, and therefore could not be associated with just one user. However, OVIC maintains that personal information can be revealed using the travel histories of a card user, and the office has issued a Compliance Notice stating that PTV will have to reassess and develop policies around the release of data until 2020. Failure to comply with the recommended actions may result in fines for individuals and the organization.

[Read: Managing digital footprints and data privacy]

Considering the amount of personal information that individuals tend to post online, datasets can serve as research starting points cybercriminals can use to look into patterns, behaviors, and information regarding potential victims. Malicious actors can narrow down a number of data points to specific high-value targets, such as politicians or political refugees, for different attacks. Here are some best practices:

• Monitor your online posts and online accounts’ privacy settings. Avoid writing about specific details regarding travels that an attacker can use.
• Be aware of social engineering techniques that attackers can use to collect personal and sensitive information.