Peter A Clarke

There are three distinct issues that confront a company dealing with a data breach. The first is the legal issue, who to notify and when and what steps need to be taken to mitigate any loss. The second is the practical and technical issues; find out how the breach occurred, the extent of the damage and what repairs need to be undertaken. The final is the public engagement; notifying the public, media, advising what when wrong and what is being done to fix the problem. Australian companies are a long way back in their sophistication than their contemporaries in the United States and Europe. Given the more effective regulation overseas companies are quicker to notify regulators. In the United States there is a culture of more transparent and effective communication with the public. Not always but commonly. Australian companies tend to be dreadful at advising the public. Many put together bland boilerplate statements which mean nothing, which is their intent. That can lead to escalating problems and great mistrust. And rather than containing the fallout it increases it as more information leaks about about the data breach, much of it inconsistent with the blandly reassuring statements in the media releases.

It is good practice to have a data breach response plan which deals with each issue.  In Australia even the companies that have such a plan rarely conduct practices and simulations.  Many of their lawyers take a very rigid approach to the problem.  As a result many responses are stilted, inflexible, incredibly defensive and often counterproductive.

The ABC piece Qantas executives slow to be seen after data breach affecting up to 6 million customers summarises the problem with tardy and inadequate responses.  And so for Qantas handling has been at best mediocre. About on a par with most large Australian companies hit by a cyber attack.  The Australian also covers the response in How Qantas is managing the fallout of a cyber attack targeting the personal details of 6 million people. The article quotes a class action lawyer from Maurice Blackburn on the inadequacy of the privacy laws.  She claims that the data breaches in other parts of the world are “..not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security.” That is partly correct but mostly not.  Australian privacy legislation lags the UK and Europe and even parts of the United States of America, such as California’s Consumer Privacy Act.  It is not fit for purpose in digital age where the collection of data is easy to do and can be done at a rapid pace with an enormous volume.  But the real problem in Australia has been very lax regulation and enforcement.  That has led to a culture of complacency.  For example. the civil penalty provisions under the Privacy Act 1988 have been in place since March 2024.  It has only been used twice.  That is ridiculous.  Now there is a statutory tort of serious invasion of privacy individuals can take action without waiting for the regulator to decide whether to act.  

The ABC article provides:

Vanessa Hudson has become something of a prolific letter writer this past week.

More than 6 million Qantas customers received a personalised email on Wednesday, signed by the chief executive, informing them that cyber criminals had scaled the company’s defences.

An unknown number were unlucky enough to be sent a follow-up the very next day.

It wasn’t cheery news.

The first missive outlined fears that the airline’s database containing personal information had been hacked and, your name might be on it.

For those receiving the follow-up, it was confirmation their name, email, phone number and frequent flyer number had also been unlawfully accessed.

It was suitably sombre.

But the Qantas boss was nowhere to be seen.

The federal minister responsible for cybersecurity, Tony Burke, told the ABC on Wednesday that Hudson was on leave and he’d spoken twice with the acting chief executive.

Finally, on Friday morning, two days after the data breach was announced to the public, Hudson did a short interview with Channel Seven in London.

While her overseas leave may explain the CEO’s delay in fronting the media, neither the acting CEO nor anyone else from the airline put their head up publicly either.

The ABC’s interview requests were declined, and our reporters’ calls to the Qantas media line frequently went straight through to message bank.

For an enterprise that so damaged its reputation with customers during the Alan Joyce era, it was an odd approach to such a serious breach of trust.

Copping the blame

The sheer scale of the hack puts it in the upper league of Australian data breaches. Unlike the others, however, Qantas has attempted to assuage customer fears by assuring everyone that financial details and passport numbers weren’t included.

Latitude, Medibank and Optus were bigger attacks than this and, more importantly, they involved far more detailed and potentially damaging information.

In each case, after some initial confusion, those in charge fronted the media to personally take the heat.

It didn’t end well for all of them.

Latitude’s Ahmed Fahour was halfway out the door by the time the hack, involving detailed financial and personal data on 14 million current and former customers, leaving his successor to deal with the aftermath.

But Optus chief Kelly Bayer Rosmarin endured months of criticism for initially attempting to minimise the severity of the breach, only to be forced out the following year after miscommunication over a nationwide outage.

In Medibank’s case, the breach was devastating, with almost 10 million customers exposed and private medical records for sale on the dark web.

Chief executive David Koczkar was forced into an unpalatable choice between quietly paying a Russian hacker a ransom and hoping it goes away or going public and enduring the scorn. He chose the latter and remains in the job.

Offshoring and outsourcing

The Qantas hack occurred in Manila at one of the airline’s call centres when a criminal was given access by an employee to a third-party customer servicing platform.

It happened just days after the FBI warned airlines to watch out for cyber attacks including on “third party IT providers which means anyone in the airline ecosystem including trusted vendors and contractors”.

 

The trend towards outsourcing key operations and sending those jobs offshore during the past 20 years has created opportunities for the new wave of cybercriminals.

Corporations have to rely upon the cyber security of their partners. The devastating Russian attack on Medibank again took place via an outside contractor, an IT worker whose login details inadvertently transferred to his personal computer.

Bringing all the functions in house, however, may not solve the issue. For, in most cases, the breaches were caused by human error or, in many cases, a momentary lapse in judgement.

As the FBI warning last week highlighted, cyber criminals are becoming increasingly more sophisticated and employing ever more devious methods.

“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” it warned.

“These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorised MFA devices to compromised accounts.”

Nothing much to see here

Vanessa Hudson’s missives have been reassuring.

True, no credit card or banking details were surrendered, neither were there any passport details.

But even simple identity details can be used to devastating effect.

That three-letter acronym mentioned by the FBI relating to multi-factor authentication usually involves a mobile phone and an email address. Add in a birth date and that could be enough for a criminal to construct an identity.

According to her initial letter, the company has not received a ransom note. But it seems unlikely a hacker would spend the time and effort to crack the system, obtain the information and then decide to do nothing with it.

So far, Qantas executives have decided to keep a low profile. And the strategy appears to have worked. Either that or we’ve become all too accustomed to data hacks.

The share price has remained reasonably solid, and there has been little criticism either of the company or the executives.

But hiding from bad news can come back to bite.

The Australian article provides:

As Qantas and cyber officials piece together the events of the past four days that led to the biggest attack on Australians’ data since the Medibank hack, industry sources said the stolen cache was yet to be shopped around on the dark web. And Qantas confirmed on Thursday it had not received any ransom demand from the hackers, who have not been formally identified.

On Friday, apologising again for the incident, chief executive Vanessa Hudson said the investigation was “progressing well” to determine what information has been accessed and there is “no further threat activity in the system”.

“We know that data breaches can feel deeply personal and understand the genuine concern this creates for our customers,” she said. “Right now we’re focused on providing the answers and transparency they deserve.”

She said more than 5000 customers had contacted the support line since the incident.

Additional security measures have been put in place to further restrict access and strengthen system monitoring and detection, including for Frequent Flyer accounts.

“Next week we will be in a position to update affected customers on the types of their personal data that was contained in the system,” Ms Hudson said on Friday.

Cloud-based software company Salesforce was behind the platform, but said the issue was “not due to any known vulnerability” in its product.

“Salesforce has not been compromised,” said a spokesman.

That’s because the so-called vishing attack had all the hallmarks of the Scattered Spider group, which was the subject of an FBI warning on June 28, following similar hacks against Hawaiian Airlines and WestJet. Vishing is a voice-based ruse.

Ms Hudson has also emailed passengers warning them to be on alert for “unusual communications claiming to be from Qantas” as well as “emails or calls asking for personal information or passwords”.

Names, dates of birth, email addresses, phone numbers and Frequent Flyer numbers were available on the Qantas customer database accessed by the hacker, who convinced a Manila call centre operator they worked for the airline.

“These (cyber criminals) rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access,” the FBI said in a post on X.

“They target large corporations and their third-party IT providers which means anyone in the airline ecosystem including trusted vendors and contractors could be at risk.”

Senior staff research engineer at Maryland-based cybersecurity firm Tenable, Satnam Nerang, said the attribution of the Qantas attack was “tricky”.

“Based on the limited details we know so far, it bears a resemblance to attacks conducted by the hacking collective referred to as Scattered Spider,” he said.

“(But) so far, there has been no confirmation that Scattered Spider was behind the attack against Qantas nor have we seen any attempts to shop the stolen data on the dark web.”

When Russian hackers struck Medibank in late 2022 they began publishing troves of sensitive customer information – including about policyholders treated for drug and alcohol addiction – within days of the attack after the health insurer refused to pay a $15m ransom.

Qantas emailed those affected late on Wednesday.

“Unusual activity” on the third party platform was detected on Monday, when action was taken to contain the system. No financial details were compromised.

It’s a major blow for the airline which has worked hard to rebuild trust under Ms Hudson following a series of controversies in 2023.

As well as being found to have unlawfully outsourced its ground handling workforce, Qantas faced heat from customers over its management of Covid-19 travel credits, and the consumer watchdog took legal action against the airline over the sale of tickets on already cancelled flights concluding in a settlement.

To date, those matters have cost Qantas $240m in compensation and fines with more to come in the form of a penalty for the unlawful outsourcing, and a class action over travel credits.

Ms Hudson’s email to customers caught up in the latest crisis said the incident was being taken “extremely seriously”.

“We’re implementing additional security measures to strengthen system monitoring and protection of your information as part of our response,” she said.

“If we identify new important information as we continue to investigate and respond to this incident, we will share it with customers.”

She also warned customers to be alert for “unusual communications claiming to be from Qantas” as well as “emails or calls asking for personal information or passwords”.

Maurice Blackburn class actions lawyer Lizzie O’Shea said the attack on Qantas had shone a light on the inadequacy of Australia’s privacy laws which were letting down consumers.

“In other parts of the world this is not happening to the scale that it happens in Australia and in part that’s because they have different laws in place that focus on things like data minimisation and higher standards of cyber security,” said Ms O’Shea.

“Australia is falling behind because our regulatory regime does not incentivise, or encourage or require high standards of data handling practices or cyber security, so we need to improve our privacy laws to get up to date with the rest of the world and then I think customers will see an improvement in how their information is handled.”