One of Australia's largest home and contents insurers has suspended a new online feature that made private details about the security of peoples' homes publicly accessible, including whether monitored alarm systems were installed on their premises.
Suncorp's insurance arm, which includes AAMI, recently launched a new online feature designed to "make it easy" for consumers to obtain home and contents insurance quotes for their houses by filling out an online form.
But some of the answers to questions about homes were pre-populated, or pre-filled, based on past quotes filled in by customers (or potential customers), building records, or locations, sparking customer concerns about the privacy of their homes being exposed by anyone putting in their address.
Details exposed included whether a house had deadlocks, key-operated locks on windows, and burglar alarms and smoke detectors (monitored or not). This angered privacy advocates, who said it would be a treasure trove to criminals who wanted to break into homes that had weaker security systems in place.
Given consumers did not have to prove they were the homeowner of an address, this further alarmed concerned customers, who complained directly to the company and on social media.
"@AAMI you have a potential privacy issue. If you do a home insurance quote ... it spits out details of the home including security details like alarms, locks etc," Melbourne-based computer architect, Pratik Khasnabis, wrote to AAMI on Twitter.
"Thanks for bringing this to our attention," AAMI wrote back Monday morning.
"We've escalated this issue as a critical priority."
Another consumer on the Australian online broadband forum Whirlpool said they too complained.
"I called AAMI this morning to lodge a complaint, get my details removed and have this reviewed in general," the user, going by the online alias "Gnarl", said. "They are 'escalating' the request and 'waiting to see if other people feel there is an issue too'. I think they are pretty aware of this topic."
After Fairfax Media asked Suncorp a series of questions about the new online feature on Monday morning, the company suspended it by Monday afternoon. It said the feature was part of a "trial".
"Suncorp has suspended a trial online quoting system following customer concerns," a Suncorp spokesperson said, before confirming that the new feature was suspended on Monday.
The spokesperson said the feature was originally designed "to remove customer confusion".
"The trial quoting system is now under review."
They added that the pre-populated information was "based on data we've collected from customer quotes lodged over the years".
"The system asked customers to check this information and edit it if it was inaccurate, or add it in if we didn't have it."
Suncorp said because the information it pre-filled related to buildings, it did "not contain any personally identifiable information". If information is determined to be personally identifiable, Australia's privacy commissioner can investigate whether the Privacy Act has been breached.
Comment was sought from the privacy commissioner on Tuesday morning as to whether it would pursue an "own motion" investigation.
It's not the first time AAMI has run into trouble with privacy issues. In 2013 one of AAMI's managers failed to use the BCC feature in an email the day she sent a message to 110 private addresses.
Even worse than releasing private email addresses, the message went to all the people who had ongoing disputes against AAMI with the Financial Ombudsman Service, accidentally uniting a group of people, already very unhappy with one of Australia's largest insurers. Putting them accidentally in touch with one another then saw them explore the possibility of launching a class action.
Australian security expert Troy Hunt, who runs the popular haveibeenpwned.com website — which alerts its users when their data has been exposed online — said while he understood what AAMI and Suncorp were trying to do in terms of increasing usability of their websites, it appeared to be a case "where they didn't fully think through the ramifications" of pre-filling their form's data.
"We need to be careful when publicly providing information relating to someone else's assets and when all you need is a physical address that's pretty much what it becomes, public information," Mr Hunt said.
"To their credit, AAMI appears to have responded to the initial concern very quickly and pulled the service down within a single business day so they deserve some positive recognition there."
Last Thursday in the US, Mr Hunt testified before Congress as an expert on cybersecurity about the impact of data breaches. The hearing looked at the current challenges facing identity verification and the prevalence of how data breaches are having a serious impact on that.
Since launching his data breach notification service four years ago, Mr Hunt told the House subcommittee he had logged more than 250 separate data breach incidents concerning over 4.8 billion exposed records.
"Data breaches will continue to grow in both prevalence and size for the foreseeable future," Mr Hunt said in his submission to Congress. "The rate at which we willingly share personal data will also continue to grow, particularly with an increasing proportion of the population being 'internet natives' who've not known a time where we didn't willingly share information online.
"Increasingly, the assumption has to be that everything we digitise may one day end up in unauthorised hands and the way we authenticate ourselves must adapt to be resilient to this."
Companies based in Australia have no obligation under Australian law to notify customers of breaches. That all changes February next year, with fines of up to $2.1 million (recently increased from $1.7 million) being levelled against those who act negligently and don't notify breached users.