Peter A Clarke

The media report (in the Australian amongst others) that a/the cyber hacker has approached Qantas and it and the Australian Federal Police are determining whether the approach is by the cyber hacker. As per usual with Qantas has stated there has been an approach but said nothing else. It is consistent with approaches taken by many Australian companies affected by data breaches but not consistent with best practice in the United States where there is more candour which, usually, results in more sympathy. It is a different story when it comes to paying to remove ransomware. In that regard non disclosure is universal. Given that the Australian Federal Police are trying to determine whether the approach is from the hacker or just an opportunist there won’t be any payment of ransom.

There is some confusion about what to do regarding ransoms.  It is not illegal to pay a ransom.  It may be illegal not to report such a payment.  Whether such a payment is reportable depends on the circumstances and applying them to the legislation.  It can be quite a technical exercise.

Under Part 3 of the Cyber Security Act 2024 , which took effect on 30 May 2025, entities covered by the legislation must provide notification of ransom payments that have been made in certain circumstances. The legislation sets out the process in detail.  It is important to appreciate that some assessment is required to determine whether an entity is obliged to make a report or not.

Entities covered by the legislation are those:

1. responsible for critical infrastructure assets under Part 2B of the Security of Critical Infrastructure Act 2018 (Cth) ; or
2.  carrying on business in Australia with an annual turnover exceeding $3 million.  The coverage is set out in the Cyber Security (Ransomware Payment Reporting) Rules 2025.

An entity must make a report if:

1. a cyber security incident has occurred, is occurring or is imminent;
2. the incident has had, is having, or could reasonably be expected to have, a direct or indirect impact on it;
3. there is a demand which would give the malefactor  benefit from the incident or its impact on the entity; and
4. the entity has made payment or is aware that another entity has provided on their behalf, a payment or benefit to the extortionist and it is in response to the demand.

Reports have to be made within 72 hours of making a payment/becoming aware of a ransomware payment having been made to the Australian Signals Directorate through the Australian Cyber Security Centre via an online portal.  There is no minimum threshold for payment.  All benefits and payments made must be reported.

Under the Cyber Security Act reports must contain information regarding:

• the  entity who made the payment;
• the cyber incident, including its impact on the reporting business entity;
• the demand made by the extorting entity;
• the ransomware payment; and
• any communications with the extorting entity relating to the incident, the demand and the payment.

A failure to make a report can result in civil penalties of up to 60 penalty units.

There are restrictions on the use of information reported.  Under Division 3 of Part 3, designated Commonwealth bodies can only to use or disclose the information to assist the reporting business entity with responding to, mitigating, or resolving the cyber security incident; performing functions or exercising powers under relevant parts of the Cyber Security Act, and performing intelligence agency functions.

Given the technical nature of the legislation it would be prudent for entities to get some legal guidance before going through the process.

The Australian article provides:

A Qantas spokesman would not say if the contact was in the form of a ransom demand typically associated with cyber attacks on large organisations.

He said “as this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the detail of the contact”.

“There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor,” the spokesman said.

The breach of a Salesforce platform used by the call centre was discovered by the airline last Monday, resulting in the theft of data from six million customers, including a combination of names, birthdates, email addresses, and phone and frequent flyer numbers.

Exactly what details were stored by Qantas for each customer will be shared with those affected in coming days, the airline has said.

Qantas chief Vanessa Hudson has emphasised the hack did not extend to financial details or passport information, which Qantas stored separately to other data.

It is understood the cyber criminal was given access to the database after an interaction with a call centre operator.

Ms Hudson said it was not significant that the hacker targeted a platform connected to the call centre in Manila, saying it could have happened anywhere.

“Absolutely, I mean cyber criminals are global and this was happening in the US the week before us,” said Ms Hudson, who ended her European holiday as soon as she became aware of the breach.

“I don’t think any part of any business or any operation is not exposed to this threat. It’s something we have to manage as modern organisations, and we have to learn from these events when they happen.”

Following her promotion to CEO in September 2023, Ms Hudson announced a review of offshore call centres, with a view to bringing some or all back onshore.

The review was in response to customer concerns about long waiting times, and poorly trained customer service staff in some overseas centres.

Currently, Qantas operates five call centres in Manila, Suva, Cape Town, Auckland and Hobart, to ensure cost-effective 24/7 coverage for customers.

Asked about the review’s progress, Ms Hudson said Qantas had “recruited a lot of call centre operators onshore”.

“It’s where most of our recruitment has been happening, in Hobart and also Auckland, and that’s been continuing,” she said.

“Also, as this investigation (into the cyber attack) goes through we will review everything, and I am going to be open to every suggestion that comes from that review to do two things: one, to make sure that we uplift our controls and the security of data around customers, but also continue to improve service levels.”

The Australian Federal Police confirmed it was investigating the Qantas cyber breach, which had the hallmarks of hacker group Scattered Spider.

Days before the attack, the US Federal Bureau of Investigation warned the group was targeting the aviation industry, following hacks on Hawaiian Airlines and Canada’s WestJet.

Ms Hudson said Qantas would use the incident to “further strengthen its systems and operating models”.

“We will do that, and you know we have all sorts of third-party providers across our network and I apply the same thought process and philosophy to all of them – we need to be across all of them,” she said.

Virgin Australia was also understood to be reviewing, monitoring and testing its information security settings to adapt to changes in the threat environment.

Although the airline declined to comment on the Qantas hack and the FBI warning, Virgin acknowledged that cyber security remained a significant risk to business and the community generally.

Qantas’ advice to affected customers is to remain alert for unusual communications claiming to be from the airline, and to be cautious of emails seeking passwords or booking reference numbers.

Ms Hudson said there was no need for frequent flyer members to reset their password or PIN.

About 80 per cent of those on the compromised database are frequent flyers of various status levels, with the remainder customers who had previously booked with Qantas.

After an initial dip in price following news of the attack, Qantas shares have gained altitude, closing up 1 per cent at $10.69 on Monday.