Qantas Airways passengers are being warned to remain vigilant after criminals hacked into up to six million customer accounts, one of the largest data security breaches in Australia in recent years.
The airline has become the latest major company to have been hit by a cyberattack, revealing on Wednesday that hackers have accessed customers’ personal information from one of its call centres. While Qantas is still investigating how much of their data has been stolen, it warned that “it will be significant”.
Qantas has been the target of a cyber attack.Credit: Bloomberg
An initial review of the incident showed the stolen data includes customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers, Qantas said in a statement to the ASX on Wednesday.
However, no credit card details, personal financial information or passport details were held on the hacked platform, and no frequent flyer accounts were compromised. The system was “now contained,” the airline said.
Macquarie University cybersecurity professor Dali Kaafar said details of the incident revealed by Qantas suggest credit card details and personal financial information were held separately from the third-party platform.
“Segmenting sensitive information is limiting what we call the ‘blast radius’ when a breach occurs. This is pretty much what happened,” he said.
‘This sort of data allows malicious actors to build more complete profiles about individuals, and makes them more vulnerable and susceptible.’
Cybersecurity professor Dali Kaafar
However, the type of personal information stolen can be used for other types of attacks, like phishing attacks, identity theft or even social engineering efforts, where criminals dupe victims into giving up passwords or other sensitive data, Kaafar said.
“This sort of data allows malicious actors to build more complete profiles about individuals and definitely makes them more vulnerable and susceptible,” he said.
Qantas urged customers to remain “alert for unusual communications claiming to be from Qantas”. The airline would not ask for personal information or passwords, it said.
The company has established a customer support line and dedicated page on qantas.com to provide information on the incident.
The incident occurred when hackers targeted one of Qantas’ call centres and gained access to a third-party customer servicing platform.
Qantas is now in the process of contacting customers about the breach, CEO Vanessa Hudson said, and “our focus is on providing them with the necessary support”.
“We sincerely apologise to our customers, and we recognise the uncertainty this will cause,” she said. “Our customers trust us with their personal information and we take that responsibility seriously.”
Given the “criminal nature” of the incident, Qantas has notified the Australian Federal Police, in addition to the Australian Cyber Security Centre and the Australian Information Commissioner.
Bea Sherwood of consumer advocacy group CHOICE said the incident drives home the need for the planned Aviation Industry Ombuds Scheme to protect consumer data.
“As consumer concerns about use of their data grow, and airline operations become more data driven, a robust aviation Ombuds Scheme is more important than ever,” he said.
The intrusion hit a customer relations management platform used in a Manila-based call centre where reservations are made.
Aviation industry insiders suggested cyber criminal group Scattered Spider could be behind the Qantas hack. The gang is also suspected to have attacked Hawaii Airlines and Canada’s WestJet in recent days.
‘When frequent flyer numbers are exposed alongside personal details like name, date of birth, along with email and phone, it opens the door to account compromise, now or down the track.’
Air mile expert Adele Eliseo
Cybersecurity firm Crowdstrike says Scattered Spider is a “a prolific eCrime adversary who has conducted a range of financially-motivated activit[ies] since early 2022 ... predominantly target[ing] firms specialising in customer relationship management and business-process outsourcing, as well as telecommunications and technology companies”.
Airlines’ reliance on multiple overlapping interconnected digital systems is thought to make them especially vulnerable.
Qantas said frequent flyer membership numbers had been accessed, but not the logon information needed to use those accounts.
Adele Eliseo of Champagne Mile, an air mile advice site, said points are a tangible asset with real financial value, and they should be safeguarded like cash.
“When frequent flyer numbers are exposed alongside personal details like name, date of birth, along with email and phone, it opens the door to account compromise, now or down the track,” she said.
Eliseo urged consumers to monitor their frequent flyer accounts regularly over the coming weeks and months, “keeping an eye out for any unexpected points deductions”.
In last year’s financial report, the airline cited cybersecurity and data loss as a material business risk.
Credit: Matt Golding
Qantas said at the time it continued to improve its cyber defence.
The Qantas data breach follows high-profile cyberattacks like the one on Optus in 2022, when hackers gained access to names, phone numbers and drivers licences of the telco giant’s customers in one of the largest data breaches in Australian history. The same year, after a ransomware gang breached Medibank Private, criminals began posting private customer data online to coerce the health insurer into paying the ransom.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.