Qantas suffers data breach through a hack of its app
May 1, 2024 |
Qantas has suffered a data breach involving its mobile phone app. Apps are notoriously vulnerable, usually because organisations commonly sacrifice building in proper security in the rush to release a shiny new app. The data breach involving the Qantas app was that frequent flyers using the app could access other people’s accounts. A possible cause of the data breach is a fault occurring because of recent system changes.
The Australian covers the story with:
Qantas is investigating reports of a bizarre privacy breach impacting the airline’s mobile phone app.
Frequent flyers have reported getting access to other people’s accounts when they logged onto the app.
Top tier frequent flyer Alborz Fallah, the founder of carexpert.com.au, said it seemed like there had been a “massive security breach” of the Qantas app.
“Every time I launch the app it gives me someone else’s account, their boarding pass, points score and status tier,” said Mr Fallah.
“Not only can I see where these random people are flying, I can also seemingly initiate a frequent flyer points transfer or book a flight under their name. I can also see all their booking reference numbers, so I could cancel their flights — everything, really.”
Posts on the Frequent Flyer Australia Facebook group revealed widespread issues, with some users getting access to boarding passes and personal details of other travellers.
Troy Foster said “first I was Sally now I am Caroline, and I’m going to Singapore, not Brisbane. Serious data breach”.
Qantas confirmed it was “investigating reports of an issue impacting the Qantas app” and was “urgently working to resolve the issue”.
“We sincerely apologise to our customers who have been impacted,” said a Qantas spokesman.
“We’re investigating whether this issue may have been caused by recent system changes.”
Mr Fallah said it was “funny in some ways but also a genuinely serious issue” particularly for high level frequent flyers with points balances in the millions.
“It really is a pretty shocking security breach,” he said.
The Qantas spokesman recommended customers logged out and then in again to their frequent flyer account on the Qantas app.
“Please also be aware of social media scams at this time,” he said.
“We will provide more information as soon as we can.”
The Qantas frequent flyer program has more than 15 million members who are encouraged to use the app for flight bookings, boarding passes, flight details and information about their points’ balance.
The Guardian’s coverage provides:
Potentially thousands of Qantas customers have had their personal details made public via the airline’s app, with strangers able to view other users’ account details and possibly make changes to existing bookings.
Clare Gemmell from Sydney said that she and four colleagues encountered the problem shortly after 8.30 on Wednesday morning.
“My colleague logged in and said ‘I think the Qantas app has been hacked because it’s not my account when I log in’.”
When Gemmell logged into the app, she was greeted with a message saying “Hi Ben”. The app told her Ben had more than 250,000 points and an upcoming international flight.
“Another colleague of mine said it looked like she was able to cancel somebody’s flight ticket,” she said.
“You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking.”
The app has more than 115,000 ratings and reviews in the Apple store, where it has a star rating of 4.8.
Gemmell, who works in customer data technology, said the security lapse was “pretty shocking”.
“It’s a privacy breach and other people having access to my information and being able to cancel flights on my behalf is terrible customer service and very concerning,” she said.
“It’s basic 101 security that they should have tested any app changes before they released it into production,” she said, referring to the moment when the app went live.
She said she hadn’t been aware of an update to the app but that she since understood the app may have been updated overnight.
By about 8.50 on Wednesday morning, the app appeared to have reverted to normal, she said.
Qantas said in a statement that it was urgently working to resolve the problem.
“We’re urgently working to resolve the issue impacting the Qantas app this morning and we sincerely apologise to our customers who have been impacted,” a spokesperson said.
“We’re investigating whether this issue may have been caused by recent system changes.
“We recommend that customers log out and log in to their Qantas Frequent Flyer account on the Qantas App. Please also be aware of social media scams at this time.
“We’ll continue to provide more information as soon as we can.”