Peter A Clarke

Service of court orders are invariably necessary to permit action for contempt for a breach of those orders. In cases of injunctive relief commonly the Court requires service of those orders. It becomes more difficult when the subject of those orders inhabit the dark web, have no representatives to accept service of those orders and can easily disappear. Welcome to the world of service of cyber hackers.Non publication orders against cyber hackers are a relatively recent phenomenon as is the method of service.

Qantas served the non publication orders made by Justice Kunc of the New South Wales Supreme Court via Tox. According to affidavit material filed by Qantas the documents containing the orders were sent last Thursday and a return email was received 3 hours later. What is not clear is how the order has been brought to attention of those who may not be the cyber criminals but come upon this information.  That may be attended to by specific exemptions to the orders.  It is not known. In crafting orders it is important to make them sufficiently focused so as to avoid unwelcome consequences such as a victim of the cyber breach being in contempt because he or she found his or her information on the dark web or elsewhere.

The Australian has covered this story in How Qantas served papers on cyber criminals over hack attack on customer database. What seems to be clear is that cyber hackers are based outside Australia.  That is a perennial problem and one that does not have an easy solution if the overseas locations are where governments are weak, protect hackers or a legal system which does not permit easy action.  

The article provides:

Orders made by New South Wales Supreme Court Judge Francois Kunc, revealed the airline was required to serve documents on the as yet unnamed group through any known channel.

As a result a dedicated message box and specially set up email addresses were used to send a Dropbox link of documents to the Tox messaging account contact point of the criminals.

Tox is a covert communication channel that uses a combination of encryption algorithms to ensure security and privacy, and only users with Tox IDs can use the system.

According to cybersecurity expert Sigmund Brandstaetter, Tox does not rely on centralised servers that may be vulnerable to surveillance and data breaches, making it attractive for use by cyber criminals.

The Qantas affidavit said the documents were sent at 9.45am on Thursday, and within three hours a return email was received.

The proceedings were kept confidential until the documents were sent, in an effort to ensure the group did not disconnect from its contact point.

Court documents provided few other clues to the group’s identity — only that it was based outside of Australia.

Much of the affidavits’ content was redacted due to the sensitivity of the matter which began to unfold late last month after an “interaction” between the cyber criminal and Qantas’ Manila call centre.

It’s alleged that interaction led to the criminal accessing a customer database, storing personal information about 5.7 million individuals.

The information ranged from names, addresses and birthdates to frequent flyer numbers and points balances, but did not include credit card details, passport information or passwords.

However one affidavit filed by the airline revealed concerns the information could be used “to cause harm to Qantas, its customers and others”.

Three examples of harm were listed in the affidavit but the details were redacted.

The primary purpose of the court proceedings was an injunction preventing the release, viewing, transmission or publication of information stolen from the database.

Although it was considered unlikely the cyber criminals would abide by the court undertaking, the legal orders meant third parties such as the media could not expose the data in the event it was uploaded to the dark web.

At the same time, law firm Maurice Blackburn was pushing ahead with its claim for compensation for those caught up in the Qantas attack.

A spokesman said the law firm had received a “very strong response” after inviting customers to register with Maurice Blackburn via its website, to get updates on a complaint to the Office of the Australian Information Commissioner, and potentially compensation.

“It is early days in what we are learning about the mass data breach, but if you’re one of the millions of people that have had your personal information compromised, you’re eligible to register with us and we will keep you informed as the matter progresses,” said principal lawyer Elizabeth O’Shea.

As yet the identity of the Qantas cyber attacker has not been revealed, however experts believe the method of operation was strikingly similar to that deployed by the group known as Scattered Spider.

Previously linked to attacks on Hawaiian Airlines and WestJet, the group has been identified by the US Federal Bureau of Investigation as targeting airlines.

There were fears the group may have struck again on Sunday evening (US time) when Alaska and subsidiary Horizon Airlines suddenly issued a ground stop on all flights due to a software outage.

A ground stop means flights yet to takeoff are required to remain on the ground, causing potential travel disruptions and delays.

The outage lasted three hours, before Alaska announced it was lifting the ground stop.

In a post to X, the airline offered a sincere apology to customers for the inconvenience but provided no further details of the IT outage other than to say it had been resolved.