auDA has become aware that in limited cases personal information, including government issued identifiers associated with the identity documents, of .au domain name registrants was visible when the domain name was queried on the public .au WHOIS service. This was due to the inadvertent entry of information during the registration process into fields intended to capture public information only (such as Australian Business Numbers (ABNs) or Australian Company Numbers (ACNs)).
The registration process for .au domain names is carried out between a registrant and a registrar or reseller. .au registrars and resellers are responsible for validating the eligibility of registrants. While government issued identity documents such as passports may be required by .au registrars or resellers to validate eligibility, identifiers associated with these documents should not be included in publicly available fields.
auDA has conducted an initial review of the .au registry database and has found four impacted fields: Registrant ID, Registrant Name, Eligibility ID and Eligibility Name fields. auDA’s initial review has identified approximately 100 cases where information in these fields appears to match the format of government issued identifiers or is a postal address. auDA has removed this information from public view.
auDA’s review has also identified some cases where it is not possible to identify the nature of information provided in the four relevant fields. This data may be public business identifiers from legacy state-based business names or foreign jurisdictions, however, in some cases may include personal information.
All impacted registrants will be contacted by auDA as a priority to recommend they review their information with their registrar. Support through IDCARE will be made available to all those impacted.
In addition to contacting registrants, auDA has engaged registrars to review potentially impacted information and to reinforce the importance of strong data protections during the registration process. auDA has also notified the Office of the Australian Information Commissioner (OAIC) and commenced a review of .au policies and processes to further strengthen protections of .au registrants.
As the body responsible for administering the .au domain, auDA is committed to ensuring the WHOIS service operates as intended. auDA takes data privacy seriously and extends its apologies for any concern and inconvenience caused.
Once notified by auDA, impacted .au registrants should contact their registrar in the first instance. They can also contact auDA via its website or phone 1300 732 929 (within Australia) or +61 3 8341 4111 (international) between 8am and 8pm AEST seven days a week for further information about this matter.
General advice on privacy and data protection is available from the Office of the Australian Information Commissioner and cyber.gov.au. auDA has also released additional guidance on the .au WHOIS to help existing and potential registrants understand how the WHOIS works, including key public fields.
For media enquiries contact media@auda.org.au.
Notes
What is the WHOIS service
For compliance and verification purposes, the .au WHOIS service is offered by auDA to allow queries of .au domain name registration records and to display certain details of contacts associated with a .au domain name licence. Making select information available through a publicly accessible WHOIS tool is a standard feature of domain name systems around the world and supports online accountability.
How to find your registrar
A registrar of record is the accredited .au registrar responsible for managing a registrant’s .au domain name in the .au registry database. All registrants have a registrar of record, even if they have registered their .au domain name through a reseller. Registrants can find their registrar’s name and contact details using the .au WHOIS tool.