Australian Information Security Incident Reported: August 15 2019

‘Shocking’ myki privacy breach for millions of users in data release

Just a few taps on and off, and a couple of tweets — that’s all it would take for a hacker or stalker to identify you and track down your movements with a myki.

Reported in: ABC News (Australia)
Source: ‘Shocking’ myki privacy breach for millions of users in data release

Myki is the reloadable ticketing system used on public transport services in Melbourne and regional Victoria.

Victoria’s Information Commissioner has today revealed Public Transport Victoria (PTV) breached privacy laws by releasing nearly two billion lines of what it claimed was de-identified data to support a data science competition in mid-2018.

It was de-identified to the extent that the card IDs — the name of the person using the card if it is registered to them — was removed. But researchers at the University of Melbourne discovered they could re-identify their own data, and the data of someone they’d travelled with, and link all the trips using the same card.