QLD Cruise Company - Credit Card Information Hacked - What to Do?

Australia's #1 for Law
Join 150,000 Australians every month. Ask a question, respond to a question and better understand the law today!
FREE - Join Now


20 August 2015
I used to work for a cruise company that booked cruises online. Once the client had paid for the cruise, their credit card details were kept on file indefinitely. Recently, I have resigned from my position with the company due to my difference in opinion on running a business. The day after I resigned, due to poor security measures in place, someone in the United States has hacked their internal server and stole an endless amounts of credit card details from clients.

I paid for my sister's cruise and not only was my credit card compromised, so was my sister's and my friends who also booked a cruise. There were several other staff members whose credit cards were compromised as well. The owner of the business was fully aware of the fact and instead of advising clients has told staff not to mention it as there is no way of tracking it back to their company as the original hack source. I am furious at the disregard for security and lack of communication with this hack.

My credit card and my debit card have now been compromised in which the bank thinks it was from the same source. Something needs to be done about this as she cannot get away with keeping clients details on file without their knowledge and then having the lack of security measures in place to protect these details. The data was not encrypted and was readily available to steal.

What I would like to know is there a company or an Ombudsman or somebody that I can complain to stop the company from getting away with this serious breach of privacy? I was also under the impression that it was illegal to keep clients' financial data on file for a period of time as well.

If anyone could assist me in the procedure to chase this matter up I would greatly appreciate it.

Thank you so much


Hi Jetsetter84,

the Office of the Australian Information Commissioner (OAIC) can investigate privacy complaints about private sector organisations covered by the Privacy Act which deals with how personal information should be stored.

You generally need to take it up directly with the company first then allow 30 days for them to respond before contacting the OAIC. Here's some more info: Making a privacy complaint - OAIC