Illion Data Registries Pty Ltd, now owned by Experian Asia Pacific, breached Section 20Q of the Privacy Act 1988. This breach occurred when Illion incorrectly reported a Bank of Melbourne and a St George credit card as “open” for over a year, despite them being closed.
Under Section 20Q, a credit reporting body must take reasonable steps to protect the information it holds from misuse, interference, and unauthorised access. Illion failed to meet this obligation and provided false explanations, claiming the credit provider had re-reported the cards as open. This was outlined in Illion’s letters dated 15 October 2024 and 14 November 2024, which were later found to be false and misleading.
AFCA Case 12-24-129825 – Bank of Melbourne Credit Card
An AFCA determination stated:
“Based on the information provided by the parties, I am not satisfied that the financial firm (Illion Data Registries Pty Ltd) correctly recorded CCLI on the complainant’s credit file.”
The $500 compensation offered by AFCA was rejected, as it did not address the broader misleading and deceptive conduct by Illion’s leadership, nor the evidence of a systemic reporting error requiring public attention.
AFCA Case 12-24-159933 – St George Credit Card
On 25 March 2025, AFCA issued an assessment stating:
“Your complaint is about a St George Credit Card being listed as open with Illion when it was listed as closed by other credit reporting bureaus. Illion’s response of 7 January 2025 confirms it provided incorrect information on your credit file.”
AFCA endorsed Illion’s $1,000 compensation offer, but this was also declined for the same reasons—failure to address the misleading conduct and systemic issues.
Illion has refused to accept accountability, raising concerns that other consumers may be similarly affected without their knowledge.
The matter has now been referred to the Office of the Australian Information Commissioner for further investigation, including identifying vulnerable customers who may have been impacted but are unaware.
