Peter A Clarke

Qantas has finally posted details of compromised personal information by way of an update today. Nine days after first detecting the intrusion. The stolen data related to 5.7 million customers.  Of that number:

• 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
  • 1.2 million customer records contained name and email address.
  • 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
• Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
  • Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
  • Date of birth – 1.1 million
  • Phone number (mobile, landline and/or business) – 900,000
  • Gender – 400,000. This is separate to other gender identifiers like name and salutation.
  • Meal preferences – 10,000

So the majority of the stolen records were limtied to names, email addresses and Frequent flying points.  Plenty to undertake some phishing and a good start for identity theft. Those 1.7 million customers whose residential addresses, data of birth and phone number are in a more vulnerable situation.  Those data points are very useful for a range of illegal activities, especially identity theft. 

Qantas has finally provided some advice and pointed to IDcare as providing assistance.  It is fairly rudimentary but better than the non responsiveness of earlier days.

This has prompted another round of media coverage with the Australian’s Qantas reveals extent of personal details stored on database that was subject to cyber attack and Major update after 5.7 million Qantas customers affected by widespread cyber attack. And some prognosticating with Qantas cyber hack highlights danger of storing huge banks of customer data, says legal expert. Of particular concern to Qantas would be the ABC’s report Qantas cyber attack victims say the airline is failing to protect data.

First to Qantas’ update.  It has provided a breakdown of what data was compromised.  The update provides:

Qantas has begun updating customers on their personal data that was compromised as a result of the cyber incident in one of its call centres last week.

The following is an update on the response:

Details of compromised customer data 

Qantas has progressed its forensic analysis of the customer data in the system that was compromised.

There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.

Qantas has reconfirmed no credit card details, personal financial information or passport details were stored in this system and therefore have not been accessed.

There continues to be no impact to Qantas Frequent Flyer accounts. Passwords, PINs and login details were not accessed or compromised.?The data that was compromised is not enough to gain access to these frequent flyer accounts.

After removing duplicate records, our investigation has found that there were 5.7 million unique customers’ data held in the system. Specific data fields vary from customer to customer.

The analysis of customers’ personal data has found (all numbers are approximate):

• • 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
    • 1.2 million customer records contained name and email address.
    • 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
  • Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
    • Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
    • Date of birth – 1.1 million
    • Phone number (mobile, landline and/or business) – 900,000
    • Gender – 400,000. This is separate to other gender identifiers like name and salutation.
    • Meal preferences – 10,000

Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts.

Advising customers of their personal data impacted 

Qantas is progressively emailing affected customers to advise them of the types of their personal data that was contained in the impacted system and provide advice and support.

Customers can continue to access the dedicated support line on 1800 971 541 or +61 2 8028 0534. This service remains available 24/7 and customers have access to specialist identity protection advice and resources through this team.

Qantas Group Chief Executive Officer Vanessa Hudson said:?

“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible.

“From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.

“Since the incident, we have put in place a number of additional cyber security measures to further protect our customers data, and are continuing to review what happened.

“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police. I would like to thank the various agencies and the Federal Government for their continued support.”

Advice to customers

We recommend that customers take the following general precautionary steps and remain vigilant to any misuse of their personal information:

• • Remain alert, especially with email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas. Always independently verify the identity of the caller by contacting them on a number available through official channels;
  • Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts;
  • Stay informed on the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch webpage;
  • Visit IDCARE’s Learning Centre and the Office of the Australian Information Commissioner website for further information and resources on protecting personal information; and
  • Do not provide your online account passwords, or any personal or financial information. Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.

The Australian’s article about the law is something of a curate’s egg; good in parts.  A lawyer is quoted as saying “..here was no restriction on how long customer details could be stored by companies”  and that “under Australian law, companies could hold onto customers’ personal details almost indefinitely.”  It is correct that there is no legislated restriction on periods for holding data but the Australian Privacy Principles make it clear that personal information can only be held when there is a purpose for holding that information, related to the primary purpose of collection.  Holding data for an extended period when a company has no reason to use it is a breach of the Priniciples.  For example holding personal information of a customer who has died or no longer uses the services (and the company knows it) is a breach of the Principles.  In that regard there is a restriction on storage of data.  What is lacking is proper regulation and an understanding in the marketplace that companies caught hoarding personal information for which it has no use will face high profile, embarrassing, expensive civil penalty prosecution by the Privacy Commissioner.  The lawyer is 100% correct when stating ” it was not good enough to simply suggest that such incidents happened all the time.”  Companies affected by data breaches quickly claim that data breaches were a matter of when not if and that they are working with this that or another Commonwealth agency to fix the problem.  The first proposition is nonsense.  There are companies who do not get breached because they have approrpriate protections and proper training.  

The article provides:

The Qantas data hack could lead to changes in the way organisations collect data, as awareness grows of the risks involved in storing large amounts of sensitive customer information for long periods of time.

Maurice Blackburn class action principal lawyer Lizzie O’Shea said at present, there was no restriction on how long customer details could be stored by companies, creating huge banks of data that were attractive to cyber criminals.

An estimated six million Qantas customers had personal details stolen from a database after an “interaction” between the cyber criminal and an offshore call centre late last month.

Qantas is yet to decide whether to compensate those affected, and will not say if it’s received a ransom demand from the culprit.

Following on from other major cyber attacks on Optus and Medibank in recent years, Ms O’Shea said it was not good enough to simply suggest that such incidents happened all the time.

“We’ve seen many Australian businesses engaging in huge data collection on the assumption that one day it might be valuable to their business, and now I think we’re going into a period of re-evaluation where it’s clear that collecting data is not just an upside for a business — it may also create liabilities,” she said.

“We’ve been worrying about this for a very long time and I think now we’re starting to see some understanding in corporate Australia that that might be true.”

Qantas said the database in question contained names, birthdates, phone numbers, frequent flyer numbers and email addresses but the amount of information could differ from person to person.

One customer who did not want to be named was dismayed to learn their details were being stored, despite not having made a booking with Qantas since 2014.

The investigation into the cyber theft is continuing, and Qantas has stressed no financial details or passport information were stored on that platform provided by cloud-based information technology company Salesforce.

Neither the airline nor the Australian Federal Police have identified what group may be responsible for the hack which had the hallmarks of Scattered Spider, known for its social engineering attacks.

The group was the subject of a Federal Bureau of Investigation warning just days beforehand, advising that “anyone in the airline ecosystem could be at risk”.

Ms O’Shea said under Australian law, companies could hold onto customers’ personal details almost indefinitely.

“If you’re not using it for the purpose that you collected it for, you may have to potentially seek consent for a different kind of use but there’s no obligation to engage in what we might call data minimisation,” said Ms O’Shea.

“By that I mean reducing data when you’re no longer needing it for ongoing purposes, which can lower the impact of a significant data breach.”

She said it was clearly an area in need of attention to help reduce the impact of such cyber attacks.

“In general companies have continued to collect large amounts of personal information and hold it for very long periods; often for people who may have ceased to become customers some time ago,” Ms O’Shea said.

“I can understand why that might be a source of particular frustration for customers but at the moment at least, our policy position does not require (data minimisation).”

On Monday, Qantas revealed the company had been contacted by someone purporting to be the cyber criminal, but would not say if any ransom demand or threat was made.

Senior research engineer at Tenable, Satnam Narang said contact from criminals after a hack, was usually in the form of some type of demand.

“When a potential cyber criminal contacts a victim organisation, it almost always means they want something, typically financial in nature, in exchange for not disclosing the data that’s been stolen,” said Mr Narang.

“This is a very sensitive area, as we know that the Cyber Security Act 2024 took effect on May 30 and requires reporting ransom payments.”

He said so far no Qantas customer information had been leaked onto the dark web, which could indicate the airline was negotiating to mitigate the fallout from Australia’s biggest cyber attack since the strike on Medibank in late 2022.

During the Medibank hack, the health insurer refused to pay a $15m ransom. That led to a cache of sensitive customer information — including those with drug and alcohol addiction or who had abortions — published on the dark web, which is also a marketplace for criminals to exchange information to commit extortion and other crimes.

Customers who had left Medibank years ago were caught up in the hack, with the health insurer saying it was legally obliged to retain some information for seven years. It faced a damage bill of about $150m, according to analysts.

A Qantas spokesman declined to comment about the nature of the contact because it was a “criminal matter”.

An AFP spokesman said the airline had been “highly engaged in assisting authorities and police with investigating this incident”.

The article Qantas reveals extent of personal details stored on database that was subject to cyber attack provides:

Although no credit card, financial or passport details were stored on the compromised platform, Qantas said a range of other personal data was on hand including name, email, frequent flyer number, birthdate, address, phone number, gender and – for about 10,000 – meal preferences.

Of the 5.7 million, 2.8 million customer records contained name, email address and frequent flyer number, as well as status tier in many cases, while a “smaller subset” included points balance and status credits.

Another 1.2 million customer records were limited to name and email, while the remaining 1.7 million records included a combination of data fields.

Of those, 1.3 million included an address; 1.1 million a birthdate; 900,000 records listed a mobile, landline or business phone number; 400,000 recognised gender and 10,000 customers had their meal preference recorded on the database, a detail which could also identify religion.

Customers who last week received an email advising their information was affected in the cyber breach, should expect further correspondence about what personal data was in storage.

To date there is no evidence that any of the data stolen had been released, but Ms Hudson said she understood the breach was of concern to customers.

“I don’t want to diminish the fact our customers trust us with looking after their data, and we are very focused on making sure we learn from this, that our systems are improved and the security around all of our systems is lifted as a result,” she said.

“Customers can feel confident that we have made the right steps to ensure that.”

In addition Qantas was looking at purging data from its systems more regularly, and uplifting more controls around contact centre access to sensitive data.

The move follows the revelation “an interaction” between the cyber hacker and the Manila call centre led to the data theft.

However, Ms Hudson said she was “personally taking accountability” for the breach.

“I sent six million emails last week (and) I’ve sent six million emails this week to address that, and I think that is the most important thing we can do to assure customers that we’ve taken it seriously,” she said.

“We will look after their data and improve our systems as a result of this, and support them when difficult situations such as this occur.”

Ms Hudson would not comment on the contact made by the potential culprit, which was under investigation by Australian Federal Police.

Chief scientist at software company Rapid7, Raj Samani, said companies subjected to ransom demands following cyber attacks should definitely not pay up.

“Firstly, you are supporting organised crime, and secondly there is no guarantee there will be any successful conclusion to the negotiation,” he said.

“Finally these groups are criminals so they are generally not very reliable. Despite receiving payment, many ransomware groups have a history of either providing decryption keys of insufficient quality or not providing the keys at all.”

Ms Hudson said Qantas remained in “constant contact with the National Cyber Security Co-ordinator, Australian Cyber Security Centre and the Australian Federal Police”.

“I would like to thank the various agencies and the federal government for their continued support,” she said.

A dedicated support line remained in place for customers on 1800 971 541 or 02 80280534.

The ABC piece should concern Qantas.  It reports on customers anger and frustration and, more concerningly, attempts to use the stolen data for the purpose of scamming some customers.  The article provides:

Qantas customers say they feel vulnerable, angry and unsupported following last week’s major cybersecurity breach, and are now questioning whether the airline is doing enough to protect Australians’ personal data.

On Monday night, Qantas quietly updated its website to confirm the airline had been contacted by “a potential cybercriminal” less than a week after the data of up to 6 million of its customers was accessed in an online attack.

The airline said it was still working to verify the legitimacy of the contact and has engaged the Australian Federal Police to investigate.

But Qantas is yet to officially confirm the name of the group that has been able to access passenger names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers.

The airline is also still working to determine exactly what data was stolen for each affected customer.

What we do know is that last week, Cyber X, which is the company called in by the airline to investigate the massive cyber attack, said the incident had all the hallmarks of international group Scattered Spider.

We also know that just days before Qantas says it had detected “unusual activity” on a third-party platform that holds customer data, the FBI had issued a warning that Scattered Spider was planning to target airlines.

Far from a sophisticated attack, cyber experts said one of the hackers likely impersonated an IT or other official, and simply tricked a Qantas call centre worker in Manila to obtain the login details to that third-party platform.

Dozens of Qantas customers have contacted the ABC in the wake of the cyber attack to express their frustration with the airline. Some have since been targeted by scammers or received alerts from online accounts including the federal government portal myGov.

Canberra-based disability advocate Ebe Ganon said she received a scam call from someone pretending to be from Qantas Money the same day the company confirmed the breach.

“He was purporting to be alerting me of three suspected fraudulent transactions, and those transactions were really tailored to my shopping and purchasing habits.”

Ms Ganon said the scam caller also referenced a range of different personal information, including her full name, date of birth, the last four digits of her credit card, which suggested he had access to her Qantas customer profile.

“I’m a pretty savvy, you know, technologically savvy person, and it still even took me a couple of minutes to sort of ask him enough questions to be satisfied that it wasn’t a legit call.”

On Monday, Qantas again stated no credit card details, personal financial information or passport details were stored in this system accessed by the cybercriminals.

However, after also being caught up in the Medibank and Optus data breaches, Ms Ganon is sceptical of Qantas’s claim that no financial data was compromised.

“But even if that has come from another source, it points to a much scarier reality.

“I think that many of these scammers are creating composite profiles of people using information from a range of different data breaches and creating profiles where they can then speak to you in a way that’s really, really convincing.”

Indeed, cyber experts have told the ABC the type of data stolen in the Qantas attack could be very valuable to cybercriminals.

“With this particular matter, the biggest risk coming out of this will not be access to Qantas data specifically, but moreover that those 6 million people will be targeted in related type scams,” Stan Gallo, Forensic Services partner with BDO Australia, told ABC News.

“So whether it’s myGov, or people contacting individuals claiming they’re from Qantas, or from a bank, or from some other institution.”

Qantas customers’ MyGov accounts targeted

Indeed, the ABC has been contacted by several people caught up in the Qantas cyber attack whose federal government online myGov accounts have been targeted by suspected hackers.

A spokesperson for Services Australia, which manages myGov, was unable to confirm if there had been a spike in fraudulent attempts to access accounts, but said it was not uncommon after a data breach. The spokesperson said there were ways for users to protect their personal information.

Adelaide-based customer Jack Allison said he received an alert from myGov at 6:30pm — right about the time Qantas emailed him to confirm his personal data had been caught up in the breach.

“They guessed five passwords before being locked out,” Mr Allison told ABC News.

“Once they’re inside myGov, they’d be able to access people’s tax records, their medical history, it’s not good.”

He said he’s disturbed by Qantas’s offshore handling of sensitive data.

“I deeply dislike that personal information is being handed across the globe without my knowledge and consent. I want stronger safeguards for my personal information and the personal information of my family.

“I can’t go and change my name or my date of birth or my address, and I think it’s they’re just not treating this with the level of respect that it deserves.”

Calls for a bigger stick to protect customer information

It took Qantas CEO Vanessa Hudson until Thursday night to give an interview following the cyber attack. She spoke to one media outlet from her holiday in Europe. Other media, including the ABC, were not given advance warning of the interview so were unable to put questions to the airline’s boss.

While customers are calling for stronger protections, lawyers said current privacy laws offered limited paths to justice — and were badly in need of reform.

Lizzie O’Shea, principal lawyer at Maurice Blackburn, said affected individuals can currently make a complaint to the Office of the Australian Information Commissioner, but that process is slow and often overwhelmed.

“There is a process that they go through to determine whether you’ve experienced any harm and you can be awarded compensation,” Ms O’Shea said.

“One of the problems with that scheme is that the commissioner’s office is overwhelmed by complaints of this nature.”

Ms O’Shea said one key solution is introducing a “direct right of action” — so individuals can take companies like Qantas straight to court.

“That means that instead of going to the commissioner, where the process can be slow, you have a direct right of action to go to court. That means you can sue companies that have mishandled your information and obtain compensation.”

She said there was an urgent need to reform the Privacy Act.

“Because at the moment companies can have these data breaches occur and there may not be a clear remedy or a pathway to getting the result for people who are harmed, and I think most Australians think that’s not good enough.”

She said this type of large-scale breach is exactly the kind of case that could justify a class action — if the law made it easier.

“In this kind of circumstance, where there’s 6 million people potentially affected, it is a vehicle for a class action if you have a direct right to go to court.

“That would get the kinds of results that I think people expect in these circumstances and it would also act as a deterrent to make sure companies treat information really carefully, with the risk that they might be having to face court if they don’t.”

Until that happens, Qantas customer Ms Ganon said large corporations would continue letting customers down — without consequence.

“So I think my expectations are low. I’m disappointed but not surprised.”