Australian Federal Police are investigating the potential hacking of a company contracted to produce aviation security cards but authorities have moved to allay fears about the potential for terrorists or criminals to use the information to access airports.
An e-mail obtained by the ABC from Aviation ID Australia, which produces Aviation Security Identity Cards (ASIC) for regional and rural airports, says the company’s website was “intentionally accessed by an unauthorized entity”.
“Unfortunately, we cannot confirm exactly what information has been accessed, however, personal information that may have been breached includes name, street address, birth certificate number, drivers licence number, Medicare card number and ASIC number,” the email said.
There were questions about whether the stolen information could be used to make false ASIC cards and get access to airports.
But the Department of Home Affairs downplayed both suggestions.
“The Aviation ID Australia cyber incident would not enable someone to fraudulently produce another ASIC or MSIC,’’ a spokesperson told AirlineRatings. “The cards are protected by a proprietary security feature and are produced under secure conditions.
“It is important to note that an ASIC or MSIC is not an access card. An ASIC or MSIC only indicates that the holder has had a background check.
“Airport and seaport owners and operators maintain responsibility, at all times, for access control to secure areas.”
READ: New X-Ray machines and body scanners in $A300m security upgrade
The AFP confirmed it was investigating a “potential breach of the Aviation ID Australia website”.
“While the investigation remains ongoing, it is not appropriate to provide further details,’’ a spokeswoman said.
One question that remained unanswered was the time between the suspected intrusion and the email alerting customers to the possible loss of their information.
AirlineRatings understands it could have been several months.
New data breach notification laws were introduced in Australia on February 22 this year that require businesses with a turnover of more than $A3 million to alert the Australian Information Commissioner if they get hacked.
