Public Transport Victoria

Public Transport Victoria was found in breach of the Privacy and Data Protection Act after a dataset containing a record of 1.8 billion myki events was provided without sufficient de-identification.

The dataset contained a record of ""touch on"" and ""touch off"" events recorded by the myki system amounting to approximately 1.8 billion events across the 15 million distinct Myki cards.

Each event record comprises multiple data points, including date and time, location information, card identifier a unique number assigned to each Myki card.

The data allowed for individuals to be re-identified, and their travel activity for the three years exposed.

Source: https://www.zdnet.com/article/public-transport-victoria-in-breach-of-privacy-act-after-re-identifiable-data-on-over-15m-myki-cards-released/

"id": "PUB0810423",
"linkid": "public-transport-victoria",
"type": "Breach",
"date": "08/2019",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"