Peter A Clarke

The Qantas data breach saga is following a predictable trajectory largely due to a poor initial response to the data breach. The coverage has moved, having begun that transition yesterday, from the data breach itself to the impact on the customers, continuing problems with communication and possible compensation. As the story has developed victims or just upset customers coming forward to provide colour and put Qantas in an even poorer light.   The stories are widespread including the Australian’s Qantas cyber incident: frequent flyers, customers await update on stolen data with the SMH’s Qantas hack will haunt affected customers for a long time, experts warn and Qantas hack victims could get compensation, say experts and ABC’s Qantas data breach: questions remain. And as with data breaches where there are internal issues, and a poorly management data breach response, the leaks come thick and fast. As Crikey demonstrates with ‘This isn’t a one-off glitch’: Qantas pilots blast airline over data hack of 6 million customers. 

The coverage demonstrates how important it is for companies to move quickly and transparently to respond to a data breach.   It also highlights the poor understanding of privacy law based on some of th claims made. The Qantas data breach saga is a lesson in how not to respond to a data breach.

The SMH’s Qantas hack victims could get compensation ay experts highlights the sketch understanding of how civil penalty proceedings operate and what options are available for seeking compensation.  The story accurately sets out the maximum penalty the Federal Court could impose if a civil penalty action were brought under section 13H of the Privacy Act 1988.  But that does not equate to compensation to consumers.  It is a penalty.  Whether the Privacy Commissioner distributes whatever penalty imposed if unknowable.  Given that, Dr Srivastava’s quoted statement as to how the Privacy Commissioner operates is confusing.  A more likely route for compensation would be a class action alleging various common law causes of action and potentially statutory claims.  It is possible but difficult to consider using the new statutory tort of serious interference with privacy.  It would be necessary to show that Qantas’ conduct was reckless.  provides:

Qantas customers affected by the data hack could ultimately be entitled to compensation if the airline were found to have breached passenger privacy, experts say.

A week after Qantas disclosed the loss of data of up to six million customers, consumer law experts say the airline could ultimately face penalties, if a series of conditions are met.

Qantas detected unusual activity on a “third-party platform” used by the airline’s contact centre in Manila early last week, prompting an investigation, which determined customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers had been accessed, through a third-party vendor to Qantas.

The airline disclosed the breach, which has been suspected to be the work of a criminal cybergang called Scattered Spider.

On Monday, Qantas said “a potential cybercriminal has made contact” with the airline, saying it was “working to validate” the communication. Cybersecurity officials fear the data could ultimately be used as ransom.

The uncertainty over the status of customer data highlights the volume of data held by Qantas.

Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said: “Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour.”

Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access.

The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.

There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.

“For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”

It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.

Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”

Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.

The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.

At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.

The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.

The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.

Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.

Qantas is investigating after it was contacted by a suspected cyber criminal days after a major hack.

The ABC’s Qantas data breach: questions remain is typical of coverage which taps into upset customers unhappy with a poor response which segues into a criticism of Qantas’ data handling practices.  It is reputationally damaging.  It provides:

Crikey has never been famous for its quiet, careful and conservative commentary.  It prefers a more robust form of journalism.  Hence it is a magnet for disgruntled insiders.  And when a company like Qantas is embarrassed and exposed to criticism then the leaks begin.  This article picks up and amplifies some of the criticisms I noted about Qantas’ response; the downplaying of the damage, the vague word salad comments about relevant issues and a lack of transparency.  But more significant allegations are made, that this is not the first IT mistake and there were problems with third party platforms.  The Crikey article provides:

If Qantas were a person, it’d be that person at the bar who spills your drink, blames the table, and then proceeds to do nothing except make lame excuses and wander off without offering to buy you a fresh one.

The airline’s latest crisis? Last week’s cyber privacy breach involving 5.7 million customers’ personal data and, for a subset of those, frequent flyer data. More than a week after the data breach, Qantas appears none the wiser as to who perpetrated it or why. If it does, it is certainly not sharing that information with those affected: its customers. Qantas now says it knows who had what data stolen and is contacting those affected. Progressively.

The realities of this monumental failure by the airline continue to be quietly downplayed by management as a “technical issue”; no mention of a cyberattack, and no evidence of malicious activity, they say. And, anyway, it was on a “third-party platform”.

“Since the incident, we have put in place a number of additional cybersecurity measures to further protect our customers’ data, and are continuing to review what happened,” Qantas said in its latest update.

But if you talk to the people who keep Qantas airborne, you’ll get a different story, one of outsourcing and a leadership team pathologically incapable of owning its failures.

“This isn’t a one-off glitch. It’s the third major IT-related debacle in as many years. And it’s yet another symptom of a company that has hollowed out its internal capacity and outsourced critical functions all to save money. The customers and staff always seem to come last,” one pilot told Crikey.

Another pilot noted that the Qantas chairman John Mullen has yet to make any comment or offer reassurance to customers: “The board seem to be sticking their heads in the sand and hoping the problem will go away.”

But it’s the now all-too-familiar outsourcing that most rankles Qantas staff. The airline’s rank and file are still fuming about the illegal outsourcing of baggage handlers, which the company fought all the way to the High Court before being found guilty several times and forced to pay hundreds of millions in compensation.

“The big question is: why has Qantas outsourced so much of its call centres to the Philippines, which is where this leak happened. Isn’t it supposed to be the Australian national carrier?” a Qantas regional pilot wondered aloud.

“Qantas is taking jobs out of Australia. There are plenty of Australians who would love to work for Qantas, but the jobs are cheaper offshore; it’s all about executives’ bonuses, not customers.”

The operational rot goes deeper than code

A former senior pilot told Crikey that at Qantas these days, the default response from management is “blame deflection”.

Blame the system, blame demand, blame COVID. Never the decision-makers, never the outsourcing strategy, and certainly never the board. And you see the result — the public and customers no longer believe what Qantas says, and the Qantas workforce no longer believes Qantas knows what it’s doing.

From a crisis management perspective, Qantas has once again failed the basics. There’s been no public accountability, just passive-voice statements and buried FAQs. Customers found out about the data breach via app alerts or media leaks initially — not from the airline. The message seems to be: we’ll let you know if it gets worse. Given Qantas’ track record, this may be designed to limit legal exposure, but it torches trust, something that its CEO Vanessa Hudson has been working hard to try and regain.

But actions speak louder than comforting words. As a Qantas Frequent Flyer myself, who had received an initial email notifying me that my data may well have been taken by the hackers, I once more called the outsourced (yes, really — to the UK) help number, where staff were no wiser than they had been when I called them last week. 

I was told that Qantas was “progressively working through the data” and “informing customers just in what field their data has been stolen”.

“I wouldn’t want to give you a time frame, but they are working throughout,” said the call centre operator, who confirmed that Qantas was still not offering anything by way of recompense. She said — clearly meant to reassure me — that Qantas had “engaged cybersecurity experts” (now, but clearly not before the hack) who were “keeping an eye on what the data may be being used for” and even monitoring “the dark web”.

I was told if I wanted “any further information about cybersecurity”, that Qantas has “partnered with www.idcare.org”, where I could go and quote a referral code: qant25. Still, this company could not provide any information about the specific incident. The usual Qantas customer service merry-go-around.

There was a time when Qantas was synonymous with safety, engineering rigour, and operational excellence. Those were not marketing slogans — they were hard-earned truths, backed by in-house talent, deep institutional memory, and a sense that responsibility flowed up as well as down.

Now? Those same pilots and engineers are reduced to cynics. They watch senior execs cycle through comms-trained media lines while serious safety and systems issues fester. They’ve seen pandemic bailouts turn into share buybacks. They’ve watched IT budgets balloon — only for systems to fail, again and again.

Is anyone actually accountable?

Alan Joyce may be gone, but the DNA of deflection remains. When Qantas sold its soul to cost-cutting, it lost more than headcount. It lost institutional capability — and when something goes wrong, as it increasingly does, there’s no-one left to step up and fix it.

That’s the unspoken truth of this breach. Not that some data slipped through a crack, but that there’s no-one left inside the building who really understands how the building works — because they all took the package and ran. Deep aviation experience is not learned overnight.

Until Qantas reverses this rot — by rebuilding internal teams, reestablishing operational control, and ending the CEO blame carousel — it risks a continued spiralling into crises, each one handled worse than the last.

After the serial scandals of recent years, can anyone remember when Qantas was worth believing in?

The Australian article Qantas cyber incident: frequent flyers, customers await update on stolen data reports on the inadequacies of the Qantas response.  It also quotes an expert of more potential dangers of the personal information being stolen.  In this case, having frequent flyer balances and status may identify high value targets.  Another angle for hostile coverage.  It provides:

A review of the database used by Qantas’s Manila call centre revealed various personal details of 5.7 million customers were being stored on the platform, ranging from frequent flyer status and points balance to meal preference.

To date, more than a million customers have been informed about what details were stolen by the cyber criminal following an interaction with the call centre almost two weeks ago.

But many are still waiting to be told just what details held by the airline have now been shared with a hacker, putting the customer at risk of further exploitation through scams.

“The information on its own might not seem that bad, but it’s what more information that might allow the cyber criminal to get that concerns me,” said one frequent flyer caught up in the breach.

Qantas confirmed the details on record for each customer varied, with names, birthdates, addresses, phone numbers, gender and frequent flyer numbers among the fields.

Almost half of those compromised by the breach had their frequent flyer number and status tier recorded, while a smaller subset also had their points balance and status credits included.

Frequent flyer expert Adele Eliseo, of The Champagne Mile, said such information could identify “high-value” individuals that would be of interest to cyber criminals.

“Last week’s announcement gave no indication that fields like points or tier status were at risk,” Ms Eliseo said.

“These are sensitive fields that can help bad actors zero in on frequent flyers with the most to lose.”

The hack also threatened to identify members of Qantas’s exclusive invitation-only Chairman’s Lounge, the guest list of which was a closely guarded secret.

Ms Eliseo also raised concerns about Qantas including members’ full frequent flyer numbers in email communications about the breach, even though both may have been compromised.

“In banking, account identifiers are typically masked or redacted,” Ms Eliseo said.

“Qantas’s disclosure of such information highlights that perhaps loyalty data still isn’t being handled with the same level of care we expect for sensitive personal information.”

Qantas reiterated that emails were being sent progressively, a week after customers first learned if their details were stored on the Salesforce platform used by the call centre in Manila.

Chief Executive Vanessa Hudson has stressed no financial details or passport information were stored on that platform, which has now been secured.

Those who had received an email outlining what data was now in the hands of a cyber criminal were urged to “follow general precautionary steps and remain vigilant to any misuse of their personal information”.

“Remain alert especially with email, text messages or phone calls, particularly where the sender or call purports to be from Qantas,” said the Qantas update signed by Ms Hudson.

“Always independently verify the identity of the caller by contacting them on a number available through official channels.”

Customers were also advised to stay informed about the latest threats and scams via the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch web page.

“Do not provide your online account passwords, or any personal or financial information,” the Qantas advisory said.

“Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.”

Ms Hudson signed off with an apology, noting her appreciation of customers’ patience as the cyber attack investigation unfolded.

“You put your trust in us with your personal information, and we take that responsibility very seriously,” she said.

“If you have any concerns, please contact our dedicated 24/7 customer support line at 1800 971 541 or 61 2 8028 0534. You’ll be able access specialist identity protection advice and resources through this team.”

The SMH’s Qantas hack will haunt affected customers for a long time, experts warn gives free rein to experts to prophesy worst case scenarios.  The article provides:

Qantas customers caught up in the data breach are under increased risk, with experts warning that the information stolen from the airline could be used to target accounts they hold at other high-profile brands.

The airline on Wednesday said that 5.7 million customers had their information accessed by hackers last week, including information on frequent flyer accounts (including membership tier status: bronze, silver, gold, platinum or Chairman’s Lounge), addresses and even the food preferences of thousands of travellers.

US-based cybersecurity company Arkose Labs’ chief executive Kevin Gosschalk told this masthead the stolen information could potentially be used to break into accounts the affected Qantas customers have with retail, grocery and luxury brands.

“It’s not about targeting Qantas, it’s about how else can scammers now go and scam the information and the individuals who had their information,” said Brisbane-born Gosschalk.

“It’s going to be a problem for customers for many years to come.”

With the Qantas data now out in the wild, criminals “have a very clean, very targeted list they can go use to try and compromise other industry and other company accounts in Australia”, warned Gosschalk.

Gosschalk, whose company counts airlines and large corporations as clients, added the stolen membership status data would be especially lucrative for hackers, allowing them to home in on more high-end accounts.

“That is a hyper-targeted list for a scammer to go and try to compromise a multimillionaire’s accounts. That data is way more useful targeting the victims, than targeting the airlines.”

Gosschalk added the data can be used to “stack-rank people’s wealth”.

“And you’re going to want to scam the richer people because they have more money,” he said.

Qantas does not publish the total number of members of the invitation-only Chairman’s Lounge. But its members include Prime Minister Anthony Albanese, MPs from all parties, chief executives, senior bureaucrats, judges and a range of other VIPs.

The airline has not indicated the number of frequent flyers’ tier data released, other than to say that the “majority” of 2.8 million customer accounts with name, email address, and frequent flyer number included the passenger’s tier.

“Tier status and points balance reveal spending behaviour and loyalty value,” said loyalty program review site The Champaign Mile’s Adele Eliseo. “These are meaningful data points that can be used to flag high-value accounts.”

Frequent flyer programs are typically the primary targets of hackers eyeing airlines because the programs are the “store of value” that an attacker can comprise and convert into money.

In 2022, an IT provider for Philippine Airlines was breached, losing details on thousands of frequent flyers. The same year, five Singapore Airlines’ frequent flyers had their accounts hacked with their points stolen, before the airline reversed the loss.

While producing a “target list” of future scam victims is one potential consequence of last week’s hack, the stolen accounts, stolen points, and tickets purchased with stolen points can also be sold for value on the dark web.

One Qantas Point can be worth up to 5¢ when redeemed with 200,000 points sitting on up to $10,000 in value, according to Eliseo. Those same accounts are sold for about 5 to 10 per cent of the value on the dark web.

The vast application of loyalty points mean they can also be converted to gift cards at vendors and for rentals, which are harder for authorities to trace.

“This breach exposes how important it is for consumers to start treating their points as financial assets and to take steps to protect them,” said Eliseo. “But we also need loyalty programs and regulators to step up and start providing the safeguards we expect from financial institutions.”

“In recent years, there’s been a surge in the monetary value held inside loyalty ecosystems, but security standards are often lagging behind.”

Eliseo said it’s standard for loyalty programs in Australia to include full membership numbers in emails but in financial services, this information would usually be suppressed. “The difference points to a gap in data protection standards.”

In a survey of IT investment priorities of airlines by the member-owned aviation tech company SITA, only 22 per cent listed cybersecurity. By contrast, 55 per cent named air and operations, control centre systems and real time flight optimisation tools.

While using fraudulent emails to trick a person into giving up valuable credentials, known as phishing, was a primary method of cybercriminals. Now criminals are using generative AI to create entire phishing websites, or use auto-diallers to contact potential victims en masse.

“They’re using those tools to basically scale fraud,” said Gosschalk.

“So you can do it now at ‘bot scale’.” A scammer can hit all six million people in the day rather than having to manually call six million people which will take me months, he said.

Qantas reiterated on Wednesday that no credit card details, personal financial information or passport details were accessed. “There continues to be no impact to Qantas Frequent Flyer accounts.”

The airline recommended that customers “remain vigilant to any misuse of their personal information” and “remain alert, especially with email, text messages or telephone calls”.

Qantas customers should stay informed about the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch webpage, the company advised.

As of Thursday, the hacked data does not appear to be released despite a potential cybercriminal approaching Qantas.