Australian visa processing company VisaLink has been exposing personal client data to the web, including passport numbers and address details.
The admin section of VisaLink is freely available to the web via an obvious extension (we won’t publish the link) and is not password protected. Visitors to the admin page can access all tracking data from their service (screen shots as follows) and even change files.
The exposure would normally be called a security breach, but that presumes there is security on the site: this has none at all. The non-security may have resulted in personal and confidential client data being stolen and even used for criminal activity. The exposure may also be a serious breach of Australia’s privacy laws.
There’s not a lot of information about VisaLink on their website aside from the company specializing in Russian Federation visas. Their client list includes most leading Australian travel agents, including Qantas Business Travel and Harvey World Travel.
I’ve emailed VisaLink for comment and provided the link so that they might actually try password protection for the page as a first line of data protection. I’ll update the post if they respond.
(thanks to our John for the tip)