The next step is the hardest part: A standoff with the cyber crooks, who will demand a ransom for Hudson to get her missing data back.
Qantas refuses to discuss its intentions or processes, however the airline, like other Australian corporate hack victims Medibank Private and Optus, is expected to hold firm and refuse to pay what is likely to be millions of dollars.
Qantas is working with the Australian Federal Police and other security agencies, including the National Cyber Security Co-ordinator, on this and a criminal investigation is under way.
For any corporate which chooses the harder path of holding out, a big part of it is having the trust of its customers. After all, they are the ones who are the real victims in any cyber attack.
Trust was already a vulnerability for Qantas leading into the attack, and this is the reason why so much public anger had been directed at the airline towards the end of former boss Alan Joyce’s tenure.
Australians felt the goodwill they had invested into the Qantas brand was being taken advantage of.
Since taking charge, Hudson has taken significant steps towards rebuilding the reputation of the airline by switching the focus back to customers. There is no doubt that this hack represents a major setback and will be a test of her efforts so far.
Australian corporates have found transparency is the best way to keep customers onside through a cyber attack. Telling them when they know about the attack and who has been affected helps maintain the trust; then explain how the system is being fortified so it doesn’t happen again.
Hudson says the airline has put in place heightened security measures around all levels of the data it holds. It has also launched its own internal investigation into how the cyber crooks got access to its system.
At a board level, new chairman John Mullen was chairing logistics company Toll Holdings (now called Team Global Express) when five years ago it was hit by a major cyber attack that crippled its systems for weeks. And as Telstra chair he was involved in several simulations of a cyber attack.
With any cyber attack, the first job is to secure the tech system and isolate the compromised network. Then it’s a matter of forensically understanding what damage has been done, including what is not in it.
This is the step that Qantas is up to.
Stolen data
The initial number of customers impacted has been scaled down slightly from 5.9 million compromised accounts to 5.7 million. The reason for this is some duplicate accounts had been sitting in the system.
Qantas has now been able to divide the data which was stolen into two buckets – sensitive but low risk and sensitive and higher risk. Importantly, Qantas is confident that there were no cases of sensitive, but extremely risky, data stolen such as passport numbers, credit cards or account passwords.
The overwhelming majority of those accounts compromised, or about four million, fall into the first category: names, email address and Qantas Frequent Flyer numbers. The data is still personal and has the potential for mischief in the wrong hands. However, it’s relatively low value given it is basic information.
The worry for Qantas is the 1.7 million customer accounts that have a combination with more sensitive information stolen. This includes home and business addresses, and hotels stayed at (for lost luggage). About one million of these accounts have phone numbers and date of birth. Of these, about 10,000 show meal preferences.
A combination of these strands of data – including the personalised meal preferences – puts more than one million customers at risk of identity fraud. After all, you can change your email or credit card, but you can’t change your name or birth date.
Qantas has started to contact customers caught up in the hack, and the higher-risk customers have been prioritised. Qantas has also engaged cybersecurity experts and so far there has been no signs of data being released, although it is still early days.
Despite more and more business being conducted online, it now looks as though call centres are the major vulnerability when it comes to corporate hack attacks. This plays on the notion that more than 90 per cent of cyber attacks are due to human error, including opening a suspicious email. Qantas is keeping quiet around how its systems were compromised but a Manila-based call centre appears to be the entry point.
Qantas argues the location of the call centre wasn’t the vulnerability, given the same systems and therefore the same form of attack could have happened if it were in Auckland, Sydney or in South Africa where another call centre is based.
Qantas says the multiple locations are to support global time zones.
‘Sophisticated’
Hudson says the attack was highly sophisticated and was designed to exploit any weaknesses in the system. Action has already been taken to close the weak point.
It’s this customer service data that sits on a separate system from Qantas’ Frequent Flyer data, and that’s there the top tier of personal data sits. Qantas says there’s higher security around Frequent Flyer systems, although it’s now clear all data – whether customer facing or Frequent Flyer – should be considered equal.
What is significant is what now happens between customers and a company after a major attack.
For Medibank the wave of negative publicity and fallout resulted in it losing more than 12,000 customers in the first month after the attack, including new customer leads. These losses stabilised within three months. Within four months, it started growing its market share again.
Optus also experienced a loss of market share when thousands of customers jumped to Telstra, but numbers there also began to recover three months after its attack.
At Medibank, existing customers stopped, citing “cybercrime” as the main reason for leaving just three months after the event. Other measures such as the insurers’ net promoter scores began to recover over this period.
Medibank refused to pay millions of dollars in ransom demands and chief executive David Koczkar came under intense pressure when the criminals started leaking out personal health data, including Medicare card numbers and health claims information, on the dark web. His customers were vulnerable, but still overwhelmingly stuck by the insurer.
Still, a customer class action is making its way through the courts three years after the event.
Eventually the Medibank hackers gave up, and the Australian government linked baby-faced Russian cyber criminal, Aleksandr Ermakov, to the attack.
Qantas might be on top of the scale of its data breach, however the long repair job is just beginning.
johnstone@theaustralian.com.au
More Coverage
Experts ring the scam alarm for Qantas customers
Qantas has completed a mass email delivery to customers caught out by the cyber attack on its data as experts reveal the biggest risk facing the millions affected.
Going rogue: why 400 drones fell into the Yarra River
The 10-minute display was meant to light up the night sky with messages in support of the Matildas. Within 30 seconds it went pear-shaped after they were launched without consideration for windy conditions.
In releasing details of the millions of data points stolen from Qantas’ techs system, the airline’s chief executive, Vanessa Hudson, is gaining confidence that she is now on top of the scale of the breach, including what exactly was hacked.