By Bonny Burrows
Cardinia Shire Council faces fines of up to $100,000 after a recent security breach exposed 300 ratepayers’ credit card details to council staff members.
The council has confirmed that credit card information of about 300 Cardinia residents was emailed out with payment receipts on Monday 20 February due to a “software error” which did not encrypt card numbers as required by security standards.
Instead the receipts, sent to the affected ratepayers themselves, contained their full 16-digit credit card numbers.
The incident breaches Payment Card Industry Data Security Standards (PCI DSS) which are designed to ensure that credit card information is maintained in a secure environment, and leaves the involved payment processer and the council at risk of financial penalties.
Standards breached by the software error include encrypting transmission of cardholder data and sensitive information across public networks, the restriction of access to data by business need-to-know and the restriction of physical access to cardholder data.
The Gazette understands the council does not process payments internally but instead uses internet company Bill Buddy to process its online Flexipay rates payments.
The council’s Manager of Customer Communications Todd Trimble said once the glitch was discovered officers “immediately contacted the third party payment gateway provider and resolved the error”.
“It is important to point out that electronic receipts are only emailed to the registered account holder,” Mr Trimble said.
“Expiry dates and CRN (CVV/CVC) details were not included in the email receipt.”
It is understood the emails containing the credit card numbers were deleted from the council’s system.
The incident also appears to breach multiple clauses of the Privacy Act 1988 in relation to personal information security breaches and the need to for the council to implement “reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.”
One affected party said it was unacceptable that the council was continuing to use the third party payment provider when it knew “the system was flawed”.
They said they hoped the council would have taken immediate steps to protect ratepayers from fraudulent transactions, but it appeared this wasn’t the case.
Cardinia Shire Council did not answer questions from the Gazette surrounding what action it would take against the payment provider, nor did it provide further details on how the breach occurred.
Mr Trimble said the council had “communicated” with the estimated 300 customers impacted by the error.
It is understood the Privacy Commissioner and the Victorian Ombudsman have been made aware of the incident.
