One of the country's largest travel insurance companies opted not to tell customers about a hacking that saw potentially hundreds of thousands of Australians' personal information stolen and parts of its customer database posted online.
Aussie Travel Cover was made aware that its computer system was hacked on December 18 last year and let third party agents know about the hack a few days later on December 23, but did not inform insurance policy holders or customers.
The hacker stole a large amount of personal information of travel insurance clients, including names, phone numbers, email addresses, travel dates and how much policies cost.
In an email to its agents, the company wrote that because it engaged consultants to help investigate the breach, "at this stage, there is no reason to advise policyholders".
Computer security expert Troy Hunt said the data showed "about three quarters of a million" records of personal information had been stolen, including items "like addresses and partial credit card details".
"There's two things here ... there's what has been publicly disclosed and then there's all the stuff the hacker hasn't released publicly and yet may be selling via the black market or passing on via various nefarious means," he said.
"The worry is things like identify theft, when you have names, email addresses, other personally identifiable information ... that person may be at risk of [someone] coming along and stealing their identity."
A log of the entire structure of the company's database, including how many records are in it, shows one part of the system, policies, has more than 770,000 records. Another called banking contained more than 100,000 records.
While Aussie Travel Cover said in the email to agents that no credit card records or bank details were kept on the website or database, the ABC has seen records which appear to show the first and last parts of credit card numbers with the rest of the number redacted.
Customers should have the 'courtesy of being informed'
The company has known for more than a month about the hack, and has taken steps to try to fix the hole the hacker exposed, taking its entire website offline for a month to fix the problem.
But Sophia, a customer who previously purchased Aussie Travel Cover insurance via a travel agent and only learned about the hacking after being contacted by the ABC, said she should have been told about the privacy breach.
"If your personal information that you've given a company ... somehow gets in the hands of people, they should let you know there's been some privacy breach - the courtesy of being informed," she said.
"And that way you can take precautions ... especially if it's credit card details and personal private information you don't want out there."
Aussie Travel Cover has told the ABC it was aware of the issue and cooperating with law enforcement, but could not provide any further information.
The ABC was told the hacker lives in Queensland, but Queensland Police referred the matter to the NSW Police as that was where the hack took place.
According to the international security research firm IntelCrawler, the hacker is known under his internet name Abdilo, and said he hacked the company because he was bored.
"It is irresponsible, I do not justify what I do," he said via internet chat.
"If you are vuln [vulnerable to hacking] 99 per cent of the time, I am going to steal everything and release it and/or sell it."
NSW Police previously said no-one was investigating the matter and confirmed this to again be the case on Monday.
Late on Monday the Australian Federal Police revealed it was aware of the matter.
But over the weekend the AFP said nothing, instead referring the matter to the Attorney-General's Department.
It said the so-called national computer emergency response team would not confirm if it was investigating anything.