The determination was made by Australian Information and Privacy Commissioner Angelene Falk and announced in a statement on Monday.
The OAIC said the information, which included credit card and passport details, was released by Flight Centre during a "design jam" or hackathon in 2017.
During this event, Flight Centre brought together 16 teams to drum up tech solutions for travel agents and provided them with a dataset that included customers' personal information.
The company was said to have breached the following privacy principles:
- not taking reasonable steps to implement practices to ensure compliance with Australian Privacy Principles;
- disclosing individuals’ personal information without consent; and
- failing to take reasonable steps to appropriately secure the personal information.
“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third party suppliers for analysis,” said Falk.
“Organisations should assume that human errors – such as the inadvertent disclosure of personal information to suppliers – could occur and take steps to prevent them.
“They should also carry out Privacy Impact Assessments for data projects to assist in identifying and addressing all relevant privacy impacts.”
Falk said the company had acted promptly when it became aware of the breach, restricting access, investigating the incident and making changes to its internal systems.
She expressed appreciation for the company's co-operation with the OAIC investigation and steps taken to lessen the effect of the leak, including the payment of $68,000 for replacement of passports.
The company was not fined but asked not to repeat such activities.