What the Qantas cyber attack may mean for your data
Stephanie Chalmers
and
Emilia Terzon
, ABC
A photo taken on August 20, 2023 shows the wing-tip of a Qantas Airbus A330 descending to land at Sydney´s Kingsford Smith Airport.
Photo:
WILLIAM WEST/AFP
Cybersecurity experts are warning Qantas customers to remain vigilant to scams and hacking attempts in coming days, after as many as
6 million Australians were caught up in a data breach
.
Qantas has revealed it came under attack by cybercriminals on Monday and is continuing to investigate exactly how many customer records were stolen, of the millions on the platform that was breached.
Here's what we know about the data accessed, how it could be used by cybercriminals and what you can do to protect yourself in the wake of the incident.
Qantas says a cybercriminal targeted a call centre and then gained access to a third-party customer servicing platform.
The airline has outlined the data stolen: it includes some customers' names, email addresses, phone numbers, birth dates and frequent flyer numbers.
"Importantly, credit card details, personal financial information and passport details are not held in this system," the airline's statement reads.
"No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed."
Qantas said the system that was accessed contains the records of 6 million customers. It said it would contact all of those who were potentially affected.
On Wednesday, a message was sent to Qantas Frequent Flyer members, noting: "For those customers whose information has been potentially compromised, you will receive further communication from us shortly."
So, essentially, watch this space if you are a Qantas customer.
Tony Jarvis, the chief information security officer at cybersecurity firm Darktrace, told The Business that personal data had different values when sold on the dark web, depending on the nature of the data.
"It can range anywhere from a dollar or two, to over $100 depending on the type of information we see," he said.
As of Wednesday evening, Jarvis couldn't detect any data from the Qantas breach for sale on the dark web but said he would continue to monitor the situation.
He advises Qantas customers to stay across updates from the airline in case further details of the type of data compromised are released.
Qantas has established customer support lines and says it will also maintain a dedicated page on its website to keep customers updated.
The biggest risk for people now is that their data is used to attempt fraud, target scams or, in the worst-case scenario, steal their identity.
Personal details can be used to add weight to impersonation scams - for example, pretending to be a company or agency someone has an account with.
"If I was to receive an email with accurate information of my name, date of birth and frequent flyer information, then I'd trust this email," La Trobe University data security expert Daswin De Silva said.
He therefore warns Qantas customers to be vigilant about handing over extra details, like credit card information or bank details, to people claiming to be from government agencies or companies.
"Then it becomes a financial loss," he added.
Cybercrime specialist Richard Buckland agrees that further scam attempts remain one of the biggest concerns from the Qantas breach.
The data could also be used to try and hack into accounts on other services.
If you use the same email address across many online profiles, stolen information such as your date of birth, address or phone number could be used to try and gain access to other accounts and even financial records.
"The information that's been stolen is used by lots of companies to identify them," Professor Buckland, from UNSW, said.
"The data could be used to do password resets on lots of other accounts."
In previous cybersecurity incidents involving major Australian companies including Medibank and Optus, there were also concerns that people's personal information could be sold on the dark web to carry out further identity theft.
In Medibank's case, the data hacked was so sensitive in nature - with personal healthcare records accessed - that it also led to grave concerns for people's individual wellbeing and ransom demands against Medibank.
Both Professor Buckland and Professor De Silva note that such sensitive information hasn't been reported as accessed in the Qantas hack.
If you're a member of the Qantas loyalty program, you might be wondering if your points are at risk.
Qantas has listed frequent flyer numbers as among the data compromised, but says "no frequent flyer accounts were compromised".
However, Professor Buckland warns those accounts could be targeted in subsequent hacking attempts, given membership numbers are among the data breached.
"It's quite possible this could be used to log into the frequent flyer system by claiming you've lost a password and trying to do some sort of password reset," he said.
Airline loyalty commentator Adele Eliseo notes that loyalty balances are extremely valuable, describing them as a financial asset.
"Frequent flyer numbers are more than membership references. They are the gateway to accessing points with tangible financial value, and when linked with personal information, they expose account holders to significant vulnerability," she said.
She encourages people to log in to their accounts often in coming weeks and months and check for any unusual activity, and consider two-factor authentication.
The consensus among the cyber experts we spoke to? An oldie but a goodie - change your passwords.
"If it was me, I'd be keeping a close eye on my frequent flyer points and changing my [frequent flyer account] password straight away," Professor Buckland said.
"Then just watching it closely. Presumably, if someone does go in and steal those points or it uses them for things, Qantas is able to reimburse that, so I think it's just a matter of noticing that that's happened."
Professor De Silva says people should think about resetting passwords and make them as secure as possible, including by using password generation software that encrypts codes.
"This is something we should be doing regularly," he said.
Darktrace's Jarvis warns people to avoid clicking on links in emails purporting to be from Qantas, as companies that have experienced cyber attacks are often impersonated in their wake.
"It could direct you to a malicious website where your details, your usernames and passwords, can be siphoned off … always go to the Qantas website directly to get your source of information."
Professor De Silva also says there is a risk that people's credit card details have been stored along with their frequent flyer accounts, and that this information could now be accessed too.
In this instance, he thinks people should take the "extreme measure" to cancel their credit card, "to be on the safe side".
-
ABC
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
1News
6 hours ago
- 1News
Qantas fined $98 million for illegally sacking staff
Australia's largest airline has been ordered to pay a landmark penalty of AU$90 million (NZ$98.8 million) for what has been dubbed the largest case of illegal sackings in the country's history. Qantas outsourced more than 1800 baggage handlers, cleaners and ground staff in 2020, in a move the Federal Court ruled was designed to curb union bargaining power in wage negotiations. The embattled airline's appeal to the High Court was unsuccessful, paving the way for the penalty to be awarded on Monday. The Transport Workers Union sought the maximum penalty of AU$121 million (NZ$132.9 million), while Qantas urged Justice Michael Lee to impose a "mid-range" penalty between AU$40 million (NZ$43.9 million) and AU$80 million (NZ$87.8 million). The Federal Court judge cited the "sheer scale of the contraventions, being the largest of their type" as a reason to impose a penalty that would deter other businesses from similar conduct. ADVERTISEMENT He ordered Qantas to pay AU$90 million (NZ$98.9 million) in penalties, AU$50 million (NZ$54.9 million) of which is to be paid directly to the union that brought the proceedings and highlighted the illegal conduct. "To deprive someone of work illegally is to deprive someone of an aspect of their human dignity, and this is not assuaged simply by expressions of regret," Justice Lee said. He was scathing about the embattled airline's conduct after the outsourcing, pointing to efforts to place a "less than candid" picture of the outsourcing decision before the court. He noted Qantas had apologised publicly but then had attempted to deny any compensation payments to the affected workers. Qantas will have to pay the hefty bill on top of a AU$120 million (NZ$131.7 million) compensation payment it has made to the affected ground staff for their economic loss, pain and suffering following the outsourcing. However, Justice Lee said he didn't have enough evidence to be convinced those payments would be made. The court was told the scandal-plagued airline began to finally accept responsibility for its actions in 2023, Justice Lee noted, which coincided with the departure of former CEO Alan Joyce. The courtroom was packed with union members and representatives, who hugged and exchanged smiles after Justice Lee handed down his decision. It comes after Qantas also sold tickets to cancelled flights for several years, triggering more legal turmoil and a AU$100 million (NZ$109.8 million) fine after it was sued by the Australian Competition and Consumer Commission.
Otago Daily Times
7 hours ago
- Otago Daily Times
Qantas fined $90 million for illegally sacking workers
Australia's largest airline has been ordered to pay a landmark penalty of $A90 million ($NZ99m) for what has been dubbed the largest case of illegal sackings in the country's history. Qantas outsourced more than 1800 baggage handlers, cleaners and ground staff in 2020, in a move the Federal Court ruled was designed to curb union bargaining power in wage negotiations. The embattled airline's appeal to the High Court was unsuccessful, paving the way for the penalty to be awarded on Monday. The Transport Workers Union sought the maximum penalty of $121 million, while Qantas urged Justice Michael Lee to impose a "mid-range" penalty between $40 million and $80 million. Qantas was previously fined after it sold tickets for cancelled flights for several years. (Dan Himbrechts/AAP PHOTOS) The Federal Court judge cited the "sheer scale of the contraventions, being the largest of their type" as a reason to impose a penalty that would deter other businesses from similar conduct. He ordered Qantas to pay $90 million in penalties, $50 million of which is to be paid directly to the union that brought the proceedings and highlighted the illegal conduct. "To deprive someone of work illegally is to deprive someone of an aspect of their human dignity, and this is not assuaged simply by expressions of regret," Justice Lee said. He was scathing about the embattled airline's conduct after the outsourcing, pointing to efforts to place a "less than candid" picture of the outsourcing decision before the court. He noted Qantas had apologised publicly but then had attempted to deny any compensation payments to the affected workers. Qantas will have to pay the hefty bill on top of a $120 million compensation payment it has made to the affected ground staff for their economic loss, pain and suffering following the outsourcing. However, Justice Lee said he didn't have enough evidence to be convinced those payments would be made. Former Qantas CEO Alan Joyce says the airline demonstrated "resilience" during the pandemic. (Dan Himbrechts/AAP PHOTOS) The court was told the scandal-plagued airline began to finally accept responsibility for its actions in 2023, Justice Lee noted, which coincided with the departure of former CEO Alan Joyce. The courtroom was packed with union members and representatives, who hugged and exchanged smiles after Justice Lee handed down his decision. It comes after Qantas also sold tickets to cancelled flights for several years, triggering more legal turmoil and a $100 million fine after it was sued by the Australian Competition and Consumer Commission.
RNZ News
7 hours ago
- RNZ News
Federal Court fines Qantas $98 million penalty for illegally outsourcing ground handling workforce
By business reporter Nassim Khadem, ABC Photo: WILLIAM WEST/AFP Airline giant Qantas will face a $90 million (NZ$98m) penalty over its decision to illegally outsource 1800 ground handling jobs during the COVID pandemic. The Federal Court's Justice Michael Lee on Monday said the penalty must "bear some resemblance" to the maximum $121 million - and should be no less than $90 million, which is 75 percent of the maximum. He said $50 million of the penalty should be paid to the Transport Workers Union (TWU). It follows a 2020 decision by Qantas to outsource its ground handling workforce, which the Federal Court later found to be illegal. The TWU had called for the airline to be fined a maximum of $121 million, in addition to the $120 million in compensation it's required to pay the affected employees. -ABC
