diff --git a/api/src/Storage/Tracking.php b/api/src/Storage/Tracking.php
index 1dda952f3f..8c53d3c3ad 100644
--- a/api/src/Storage/Tracking.php
+++ b/api/src/Storage/Tracking.php
@@ -255,6 +255,10 @@ abstract class Tracking
 			{
 				if (in_array($field['type'], Customfields::$non_printable_fields)) continue;
 
+				// Sometimes cached customfields let private fields the user can access
+				// leak through.  Make sure we don't expose them.
+				if ($field['private']) continue;
+
 				if (!$header_done)
 				{
 					$details['custom'] = array(