Opinion
‘I dropped everything’: Qantas boss clears the air on cyberattack
Elizabeth Knight
Business columnistIt wasn’t quite the same drama Kiefer Sutherland’s fictional character, Jack Bauer, endures in the TV series 24, but Qantas boss Vanessa Hudson has just had her own little adventure tackling cybercriminals.
Ten days ago, while holidaying with her family in Greece, Hudson received the call from a senior executive holding down the fort in Australia. It was an early morning call for Hudson, and the news was grim.
Qantas’ system had been breached by cybercriminals. It was the first crisis under Hudson’s watch, and her holiday was over as round-the-clock management of the crisis kicked in.
The data breach was bad enough, but how Qantas would handle the situation was a key subject of interest for customers, the media, the government and the airline’s board. To say nothing of the elites – from the likes of the prime minister to the chairman of BHP – given some Chairman’s Lounge members’ details had been stolen.
Qantas chief executive Vanessa Hudson said the airline was treating the cyber hack “incredibly seriously”.Credit: Eamon Gallagher
A response team was quickly assembled, with members from the IT, Frequent Flyers, communications and government relations divisions all pitching in. For the next 72 hours, Hudson held a series of meetings with the response team, the board and the government, including federal Cybersecurity Minister Tony Burke.
“As soon as I was contacted, I dropped everything, this was 100 per cent of my focus – responding to the team,” Hudson said.
In the early hours of the drama, what had been stolen and how many and which customers had fallen victim wasn’t known. Hudson said that in the initial 24 hours, the first and most immediate task was to secure the system and lock out the cybercriminals.
Once that was done, the next task was to access what information was contained in the breached system and which customers were affected.
From the Qantas customer management perspective, it was equally important to find out what information wasn’t compromised. Luckily, hackers had stolen no passport or credit card details, but addresses, phone numbers and frequent flyer numbers of millions of customers were now in a criminal database.
Nailing down that damage assessment took Qantas 24 hours. Then began the task of letting customers know. First Qantas contacted all Frequent Flyer customers, regardless of whether their details had been compromised. Next came the more unpleasant task of letting affected customers know about the hack.
On Wednesday, a week after the initial announcement, Qantas sent out more-refined emails to various customer sets, letting them know what information had been taken. Those least affected (including me) had their name and frequent flyer number stolen.
Those that experienced a more invasive theft had in addition to the above, their home or business addresses, phone numbers, birthdates, gender and even meal preferences accessed by the hackers. (Vegetarians, coeliacs and lactose avoiders be aware – your secret may find its way to the dark web.)
Hudson, who has been criticised for remaining in Europe in that crucial 48-hour period, said that she didn’t want to be on a flight during the initial, intense phase of the response, citing that she wanted to be contactable by phone.
She remained on the ground until the 72-hour period had passed and then returned to Australia.
Hudson also said lessons had been learnt from the high-profile cyberattacks mounted against Optus and Medibank Private in 2022 – in particular, the need to cut down how long Qantas holds onto sensitive data such as passport numbers in its databases. Qantas doesn’t keep them for long, which is one reason why no passport data has seemingly been stolen.
The airline this week told the market it had been approached by a hacker claiming responsibility for the attack but released no further details given the matter was in the hands of the police.
However, you would have to assume that a ransom was sought given thieves rarely make social calls. And the best guess is that Qantas won’t be paying the criminals anything.
It has been widely speculated that an aggressive hacking group known as Scattered Spider is the culprit. It is the cybercriminal de jour for the aviation and retail industries in the UK and the United States, but the true identity of the hackers or hacker may become clearer after a thorough investigation.
All in all, things could have been much worse for Qantas, but Hudson would be aware that any company whose systems are broken into by cybercriminals tends to wear that stain for a while, and questions will be asked about the airline’s security measures.
Qantas, under Hudson, has had plenty of practice placating miffed customers, and the hack means the airline will probably need to put that practice back into action, at least until the storm blows over.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.