Australia Post's online tracking company may have publicly disclosed the contents and, in some cases, recipients of sensitive mail, including packages described as firearms, prescription drugs and sex toys.
BuzzFeed News can reveal that a flaw in StarTrack's online tracking system allows members of the public to search mail deliveries by descriptions that at times disclose the contents of a mail delivery.
After being alerted to the flaw by BuzzFeed News, Australia Post contacted Australia's privacy watchdog.
The flaw means that any customer could, instead of searching for their tracking number, search for a keyword and it will display all items tagged by a sender using that descriptive phrase.
Information such as the item description, suburb location and recipient of the package could then be visible.
The revelations have emerged at a time of heightened public scrutiny of the integrity of Australia's mailing system as millions of forms are sent out around the country as part of the same-sex marriage postal survey.
A spokeswoman for Australia Post, which owns StarTrack, said it had moved to restrict access to customer information as soon as it was informed by BuzzFeed News of the issue and had contacted the Office of the Australian Information Commissioner.
Some items were described as "iPhones" and "iPads", and recipient names were available for some of these deliveries.
Some of the mail deliveries BuzzFeed News was able to locate using the tracking system also included deliveries described as "firearms".
Prescription drugs and chemist packages could also be seen, as could packages described as "DNA".
Packages described as "vibrators" were also searchable in the online system.
A spokesperson for Australia Post said: "We are confident the information obtained by BuzzFeed refers to the ‘reference information’ input by the sender. This is an open text field which allows them to use any description.
"The data in the reference number field is often not an accurate description of the goods. This data may include brand names, internal descriptors or promotional text."
This means that not all the descriptions will always be an accurate representation of the mail that was delivered.
In some cases, the identities of the people who signed for the mail was also available through these searches. This information was available through Star Track tracking portals available on the Optus and Virgin Mobile websites, and has since been removed.
The Australia Post spokeswoman said: "No individual addresses have been disclosed. If a name is listed it relates to the person who signed for the parcel, not necessarily the addressee."
The flaw appears to have emerged where descriptive words for packages are used by senders instead of reference numbers to identify individual parcels sent across Australia.
This system allows the sender of a package to describe the item in the reference field, so it won't always be a genuine description.
So, it's probably unlikely that this person actually sent a donkey through Australia Post.
And this probably wasn't an actual stripper sent in the mail.
But it's quite likely these are in fact electronic purchases from Samsung.
The disclosure of the suburb and mail recipient details was clearly unintended by Australia Post. A spokesperson said: "We are working with the Office of the Australian Information Commissioner.
"At StarTrack we take the security of our customers’ data very seriously. As soon as we were alerted to this issue, we immediately took steps to restrict access to the customer information," she said.