Public Transport Victoria

Public Transport Victoria was found in breach of the Privacy and Data Protection Act after a dataset containing a record of 1.8 billion myki events was provided without sufficient de-identification.

The dataset contained a record of ""touch on"" and ""touch off"" events recorded by the myki system amounting to approximately 1.8 billion events across the 15 million distinct Myki cards.

Each event record comprises multiple data points, including date and time, location information, card identifier a unique number assigned to each Myki card.

The data allowed for individuals to be re-identified, and their travel activity for the three years exposed.

Source: https://www.zdnet.com/article/public-transport-victoria-in-breach-of-privacy-act-after-re-identifiable-data-on-over-15m-myki-cards-released/

TPRM report: https://scoringcyber.rankiteo.com/company/public-transport-victoria

"id": "pub0810423",
"linkid": "public-transport-victoria",
"type": "Breach",
"date": "08/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': '15 million distinct Myki cards',
                        'industry': 'Transportation',
                        'location': 'Victoria, Australia',
                        'name': 'Public Transport Victoria',
                        'type': 'Government Agency'}],
 'data_breach': {'number_of_records_exposed': '1.8 billion events',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Date and time',
                                              'Location information',
                                              'Card identifier']},
 'description': 'Public Transport Victoria was found in breach of the Privacy '
                'and Data Protection Act after a dataset containing a record '
                'of 1.8 billion myki events was provided without sufficient '
                "de-identification. The dataset contained a record of 'touch "
                "on' and 'touch off' events recorded by the myki system "
                'amounting to approximately 1.8 billion events across the 15 '
                'million distinct Myki cards. Each event record comprises '
                'multiple data points, including date and time, location '
                'information, card identifier a unique number assigned to each '
                'Myki card. The data allowed for individuals to be '
                're-identified, and their travel activity for the three years '
                'exposed.',
 'impact': {'data_compromised': ['Date and time',
                                 'Location information',
                                 'Card identifier']},
 'regulatory_compliance': {'regulations_violated': 'Privacy and Data '
                                                   'Protection Act'},
 'title': 'Public Transport Victoria Data Breach',
 'type': 'Data Breach',
 'vulnerability_exploited': 'Insufficient de-identification'}