Peter A Clarke

The Australian reports in Maurice Blackburn launches compensation case against Qantas over cyber attack that a claim against Qantas is in the offing. It is a representative complaint under the Privacy Act 1988. It is also reported in Compensation sought for millions of Qantas customers hit in major cyber data breach. Representative complaints may be commenced under Division 1 of Part V of hte Privacy Act. Under section 36 an individual may complain to the Commissioner about an act or practice that is an interference with privacy of that individual. Under section 38 a representative complaint can be made on behalf of a class if all the members have complaints against the same entity and they arise out of the, in this case, same circumstances.

There should be no surprise in what has happened.  Some form of claim was likely. The Australian article provides:

On the same day Qantas won an interim injunction to try to stop the publication of the stolen data, Maurice Blackburn lodged a representative complaint with the Office of the Australian Information Commissioner (OAIC) on behalf of affected individuals.

The complaint alleges that Qantas failed to take reasonable steps to protect personal information, stored on a customer database used by its Manila call centre.

Maurice Blackburn principal lawyer Elizabeth O’Shea said the OAIC was the authority charged with taking action over breaches of the Privacy Act.

“While we await a response and potential action from the OAIC in relation to Qantas failing to adequately protect the personal information of its customers, we would encourage Qantas customers who were impacted by the breach to register with us to receive updates about the representative complaint and compensation which may be sought on your behalf,’ said Ms O’Shea.

“It is early days in what we are learning about the mass data breach, but if you’re one of the millions of people that have had your personal information compromised, you’re eligible to register with us and we will keep you informed as the matter progresses.”

The move came as Qantas went to the New South Wales Supreme Court in an effort to stop the personal data of 5.7 million customers being accessed, viewed, released or published.

In a statement, Qantas revealed it was “aware of increased reports of scammers impersonating the airline” and urged customers to remain vigilant.

As yet there has been no evidence that any of the stolen data has been released on the dark web, and Qantas is continuing to monitor those sites with the help of specialist cyber security experts.

The injunction obtained by Qantas means that in the event cyber criminals do post the details on the dark web, others including the media will not be able to repost or publish the details such as Chairman’s Lounge members caught out by the breach.

Affected customers have been informed about what details were on the platform in question, ranging from names, addresses and birthdates to frequent flyer status and points balance.

A statement issued by Qantas said the company “wanted to do all it could to protect customers’ personal information”.

“We believe this was an important next course of action,” the statement said.

“Qantas continues to work closely with the Australian Federal Police, the National Cyber Security Co-ordinator and the Australian Cyber Security Centre, to thoroughly investigate this criminal activity.”

Clayton Utz partner James Neil said the injunction was predominantly aimed at “third parties” who might come into possession of the information.

“I think the injunction is unlikely to have much effect on the hackers themselves — they’re unlikely to pay much attention to what an Australian court says,” said Mr Neil.

“But the orders will often apply to third parties who come into possession of the hacked information with knowledge of the orders, such as media outlets or online platforms. They will be on notice of the orders and should be incentivised to prevent the dissemination of the hacked material.”

The airline again emphasised that no credit card details, personal financial information or passport details were stored in the compromised system.

Passwords, PINs and login details were also not accessed or compromised.

Qantas previously revealed a “potential cyber criminal” had made contact with the airline in relation to the cyber attack, which followed an “interaction” with the Manila call centre.

It is unknown if any ransom demands were made in relation to the data, which cyber experts have suggested is sufficient for social engineering scams targeting individual customers.

Those affected are advised to remain vigilant to any requests for further data, either by phone, text or email.

Qantas said it was “aware of increased reports of scammers impersonating the airline and recommended customers remained alert for unusual communications claiming to be from Qantas”.

“Qantas will never contact customers requesting passwords, booking reference details or sensitive login information,” the statement said.

Regional director of systems engineering at breach containment company Illumio, Andrew Kay, said it was an appropriate move by Qantas to help limit the misuse of the data.

“I think more fundamentally it doesn’t undo the fact the breach has occurred but it shows to the public and regulators, action is being taken,” said Mr Kay.

“The focus should really be on reducing the impact of such attacks and ensuring they are improving their processes so it doesn’t happen again.”

He said it remained an “uncomfortable truth” that many organisations will be in this position, as cyber criminals continued to target large corporations.

“I think breaches will continue to be inevitable but the actual disaster of the fallout of it doesn’t have to be,” Mr Kay said.

Qantas has set up a dedicated support line for customers caught in the cyber hack, on 1800 971 541 or +61 2 8028 0534.

The Yahoo story provides: