Sea World Helicopters Helicopter Ride Gold Coast Data Breach Alert

4 JANUARY 2023 UPDATE
Sea World Helicopters Data Breach Victims share their grief and heartfelt condolences to everyone impacted by the devastating death, injury and distress caused by Sea World Helicopters Pty Ltd on Monday, 2 January 2023.

We look forward to the findings of investigations by the Australian Transport Safety Bureau (ATSB), the Queensland Police Service (Operation Victor Sandlewood) and Workplace Health and Safety Queensland
.

We also welcome increased surveillance by the Civil Aviation Safety Authority (CASA) of Sea World Helicopters Pty Ltd and Professional Helicopter Services Pty Ltd (PHS).

We believe that Sea World Helicopters Pty Ltd and John ORR-CAMPBELL aka John Keith ORR-CAMPBELL (DOB 01/MAY/1955) (Sole Company Director and Secretary) should be wholly responsible for all financial support to those most impacted by Sea World Helicopters Pty Ltd on Monday, 2 January 2023. That said, you may wish to support announced GoFundMe fundraising efforts as follows:
Help Winnie & Leon Seaworld Crash Victims
QLD helicopter tragedy victim – Vanessa Tadros
Helicopter pilot ash jenko continues to help ppl

We are also aware of the Daily Telegraph article, “Gold Coast helicopter company investigated over two other incidents”.
The company behind the helicopters involved in the Gold Coast tourist tragedy has been at the centre of two other investigations including one where three people including the pilot were seriously injured

  • On 27 June 2022, Sea World Helicopters Pty Ltd and their marketing contractor, Media Booth Australia, were first made aware of a serious data breach/privacy incident involving Sea World Helicopters’ helicopter ride Gold Coast customers.
  • This serious data breach/privacy incident impacts hundreds (but likely, thousands) of Sea World Helicopters Pty Ltd and Professional Helicopter Services Pty Ltd helicopter flight customers across Australia.
  • Helicopter flight booking and personal information, including full name, email address, phone number and weight, were compromised and published on the Internet.
  • If a Sea World Helicopters or Professional Helicopter Services helicopter flight booking was for a group or family booking, the name and weight of each person in that booking were also compromised and published on the Internet.
  • Data supports a contention that all Sea World Helicopters and Professional Helicopter Services helicopter flight bookings made between 17-27 June 2022 were compromised and published on the Internet. It is reasonable to assume that this serious data breach/privacy incident started before 17 June 2022.
  • Sea World Helicopters and Professional Helicopter Services failed to secure their customers’ personal information. They allowed an unknown number of third parties, likely including cybercriminals, to access its customers’ personal information for an extended period across multiple sources, including public Google search results, public Google cache and its marketing contractor, Media Booth Australia’s publicly accessible, insecure web server at apicaller.com.au.
  • Sea World Helicopters and Professional Helicopter Services should never have shared its customers’ personal information, including weight, with a third-party contractor to assist with their marketing activities.
  • Brisbane law firm, Redchip Lawyers, represents Sea World Helicopters Pty Ltd and Media Booth Australia.
  • Sea World Helicopters declined to proactively notify all impacted customers (as data breach victims) and the Office of the Australian Information Commissioner (OAIC). As a result, the Sea World Helicopters data breach is now the subject of an OAIC complaint.

Sea World Helicopters data breach victim investigated by Redchip Lawyers

LinkedIn screenshot for a Sea World Helicopters data breach victim with search activity by Professional Helicopter Services Pty Ltd and Redchip Lawyers: How often your profile appeared in (LinkedIn) search results between June 28 - July 5 (2022).
LinkedIn screenshot for a Sea World Helicopters data breach victim with search activity by Professional Helicopter Services Pty Ltd and Redchip Lawyers: How often your profile appeared in (LinkedIn) search results between June 28 – July 5 (2022).

Read Redchip Lawyers’ bizarre, unsolicited letter to an Australian journalist who Redchip Lawyers investigated for sharing the same name as a Sea World Helicopters data breach victim (2 July 2022)


Read a Sea World Helicopters data breach victim’s reply to Redchip Lawyers (2 July 2022)

Dear Thomas BEVITT,

Your letter dated today continues your clients’ incompetent handling of this data breach/privacy incident and contains multiple significant deficiencies. Notably:

  1. Your clients ignore the fact that they publicly disclosed my weight which is also personal information. As you are aware, your clients have publicly disclosed the full names, email addresses, phone numbers and weights of hundreds of Sea World Helicopters and PHS helicopter flight booking customers.
  2. Your email letter also erroneously refers to another [REDACTED – Data Breach Victim’s Name] (I am not [REDACTED – Australian journalist with the same name], the [REDACTED – Journalist’s Employment], but have BCC’d [REDACTED – Journalist’s Gender] to this correspondence). I do not operate any of the listed social media accounts or websites.

Please urgently advise and confirm that all impacted customers, including me, and the Office of the Australian Information Commissioner (OAIC), have been notified of this data breach to mitigate the risk of continued serious harm.


Read Redchip Lawyers’ letter to a Sea World Helicopters data breach victim (21 July 2022)


Read a Sea World Helicopters data breach victim’s reply to Redchip Lawyers (22 July 2022)

Dear Robert CHAMPNEY,

Your correspondence yesterday contains multiple serious defects requiring the immediate attention and action of your firm and your clients, including:

  1. My email address is [REDACTED] and not [REDACTED] as addressed.
  2. Your firm is a repeat offender in citing legislation that does not exist. BEVITT’s email dated 1 July 2022 refers to the Defamations Act 2005. BEVITT’s letter dated 2 July 2022 refers to the Privacy Act 19888. Your correspondence yesterday also refers to the Privacy Act 19888. Side note: Yes, the Privacy Act 19888 might exist 17,866 years from now but I can only hope that interpreting imagined far future legislation was not the focus of your firm’s carriage of this matter to date.
  3. Your firm’s review ignores material facts that your firm and your clients have known since 30 June 2022, including that “The complainant, among other things, has held [REDACTED] and been protected by a [REDACTED] Intervention Order issued in recent months. It follows that this data breach/privacy incident has caused, and continues to cause, among other things, serious distress to the complainant and their family.
  4. Your firm’s review ignores material facts that your firm and your clients have known since 30 June 2022, including that “Data supports a contention that all Sea World Helicopters Pty Ltd (SWH) and Professional Helicopter Services Pty Ltd (PHS) customer bookings/orders made between 17-27 June 2022 have been compromised in this data breach/privacy incident. That said, it is reasonable to assume that this data breach/privacy incident started before 17 June 2022.” As your firm and your clients are aware, your clients cannot rely on its remedial action as being prompt and appropriate in relation to my complaint because an unknown number of third parties, likely including cybercriminals, had access to my personal information for an extended period of time (at least nine (9) days) across multiple sources, including public Google search results, public Google cache and your client’s (Media Booth Australia) publicly accessible, insecure web server.
  5. Your correspondence yesterday made the first acknowledgment of your clients’ unauthorised disclosure of my weight. That said, your firm’s subsequent review continues to ignore the material fact that your clients publicly disclosed my weight which is also personal information (and health information under the Privacy Act 1988 (Cth)). As the Office of the Australian Information Commissioner (OAIC) states, “People commonly regard health information as one of the most sensitive types of personal information“. As your firm and your clients are aware, your clients publicly disclosed the full names, email addresses, phone numbers and weights of hundreds of SWH and PHS helicopter flight booking customers.
  6. Unlike other reputable air operators, your client (SWH) failed to disclose the collection and use of health information, including weight, in its privacy policy. Health information, including weight, should never have been disclosed by your client (SWH) to a third-party contractor (Media Booth Australia) to assist your client with its marketing activities. Your firm’s review also ignores this material fact.
  7. Your correspondence yesterday fails to take any corrective action (including formal apologies to me and [REDACTED – Australian journalist with the same name]) for your firm’s inadequate conduct in this matter.
  8. In response to [15] of your correspondence yesterday. There is no legal basis for requesting the deletion or destruction of information made publicly available on the Internet by your clients (for an extended period of time).
  9. In response to [16] of your correspondence yesterday. I do not consider this matter to be “at an end” or otherwise resolved to our mutual satisfaction.

As this serious data breach/privacy incident unnecessarily extends for another day (and continues to expose hundreds of SWH and PHS customers, including me, to serious harm), I look forward to your firm and your clients resolving this seriously distressing matter to our mutual satisfaction today. Thank you.

Copy: OAIC.


Read a Sea World Helicopters data breach victim’s (still unanswered) questions to Redchip Lawyers (26 September 2022)

Dear Robert CHAMPNEY,

  1. As you know, this serious data breach/privacy incident started at least ten (10) days before your clients became aware (following my responsible disclosure on 27 June 2022) and took any steps to contain the data breach. As you also know, in those ten (10) days, at least hundreds of Sea World Helicopters (SWH) customers, like me, were impacted by this data breach. Given data breaches involving personal information (let alone sensitive health information like weight) are highly valued and traded by cybercriminals (see yesterday’s News.com.au media report in relation to the Optus data breach), have your clients actively monitored cybercriminal forums and networks for the trading of SWH customers personal information since 27 June 2022? If yes, how has monitoring occurred and has any trading been identified to date? If no, why not?
  2. Did your firm advise its client, Wired Marketing Group Pty Ltd t/as Media Booth Australia (Media Booth Australia), to destroy potential evidence of this serious data breach/privacy incident by deleting the apicaller.com.au domain name after I responsibly disclosed this data breach to your clients? If yes, why?
  3. Alternatively, did your client, Media Booth Australia, independently trigger or action the domain name deletion referenced at [2]? If yes, why?
  4. In addition to SWH and Professional Helicopter Services (PHS), have Media Booth Australia’s other apparent impacted clients referenced at apicaller.com.au like [REDACTED] been made aware of any impact of this incident on their business to date? If yes, when? If no, why not?

Read a Sea World Helicopters data breach victim’s (still unanswered) follow-up to Redchip Lawyers (7 October 2022)

Dear Craig HANLEY and Robert CHAMPNEY,
Another informative article for Sea World Helicopters (SWH), Professional Helicopter Services (PHS) and Redchip Lawyers in the AFR: What personal data do scammers want from you (and how will they use it)?

The article covers the value of personal information disclosed in the SWH and PHS serious data breach/privacy incidents to scammers, including full name, email address and phone number.

The article does not cover the value of other personal information likely disclosed to scammers and other cybercriminals in the SWH and PHS data breaches, including weight and the names and weight of family members. That said, and as you know, health information is considered one of the most sensitive types of personal information. Scammers also regularly use information about family members (See ACCC warning of suspicious messages as “Hi Mum” scams spike).

I continue to wait for my “we’re deeply sorry” apology from SWH (and an adequate investigation). Thank you.


Update: Craig HANLEY (CEO of Professional Helicopter Services and a Group General Manager of Sea World Helicopters) publicly liked a LinkedIn post relating to the Optus data breach (29 September 2022) – while blocking emails on his email server from a victim of data breaches that he has overseen as a senior executive of Professional Helicopter Services and Sea World Helicopters.

Craig HANLEY (CEO of Professional Helicopter Services and a Group General Manager of Sea World Helicopters) publicly liked a LinkedIn post relating to the Optus data breach (29 September 2022).
Craig HANLEY (CEO of Professional Helicopter Services and a Group General Manager of Sea World Helicopters) publicly liked a LinkedIn post relating to the Optus data breach (29 September 2022).
Craig HANLEY blocks emails from a data breach victim to his Sea World Helicopters email address.
Craig HANLEY blocks emails from a data breach victim to his Sea World Helicopters email address.