Qantas CEO’s ‘great regret’ over cyber attack on customer database storing personal details

Qantas CEO Vanessa Hudson has cut short her euro summer holiday to tackle a novel crisis for the airline, a major cyber attack believed to be from a known criminal hacker group.

Robyn Ironside and Jared Lynch

3 min read

17 hours ago.

Updated 16 hours ago

The Australian Business Network

A cyber attack was the furtherest thing from Vanessa Hudson’s mind, as she enjoyed her annual leave far away from the New South Wales’ “bomb cyclone” for the heatwave of Europe.

But that quickly changed on Monday after a phone call from a fellow executive telling the Qantas CEO “suspicious activity” was detected on a database where the details of six million customers were stored.

“As soon as I heard the breach had happened, I stopped everything I was doing and I connected with the team and was leading our response,” said Ms Hudson from London.

“All our focus was understanding what occurred, and the time gap between communicating to customers was so we could advise with 100 per cent confidence that no passport details had been breached, no credit card numbers and the Frequent Flyer system was completely secure.”

A statement to the ASX and the media was released Wednesday morning, outlining the attack had accessed customers’ names, birthdates, phone numbers, email addresses and loyalty numbers — enough information to cause anxiety for the millions affected.

What made it worse was the US Federal Bureau of Investigation had issued a warning three days beforehand that hacker group Scattered Spider was targeting the aviation community, with attacks on WestJet and Hawaiian Airlines.

Ms Hudson said that warning had been communicated by Qantas to its call centres on Friday June 27 — apparently to no avail.

“Unfortunately the cyber criminal in this instance was able to gain access to what is a customer service platform and that was following an interaction with a call centre operator (in Manila),” she said.

“I’m sure you would appreciate that we really do want to avoid further action by other cyber criminals so I have felt that it’s important not to provide a lot more of the specificities around what’s occurred.”

Qantas CEO Vanessa Hudson says customers were informed of the attack as soon as the airline had sufficient information. Picture: NewsWire / Luis Enrique Ascui

While she does not want to attribute blame, various cyber experts have highlighted striking similarities between Scattered Spider’s MO and the Qantas infiltration.

The criminal organisation is believed to have evolved from a group of young people trading secrets on social media for how to cheat playing video games, to something much more sinister.

“The group is notorious for targeting large enterprises — often by exploiting IT help desks via social engineering,” said Rapid7 senior director of threat analytics Christiaan Beek.

“Their end goals are typically data theft and extortion. In some intrusions, they have partnered with or acted as affiliates of ransomware gangs.”

Unlike the Medibank cyber attack in late 2022 which was attributed to Russia’s Aleksandr Ermakov, Scattered Spider’s members came from the US, UK and Canada.

Okta’s Brett Winterford said the group is not only motivated by profit but the “desire to score a big win that impressed their peers”.

Only last month, Scattered Spider targeted retailers including North Face, Cartier and Victoria’s Secret, following on from a spate of attacks on UK retailers Harrods, Marks & Spencer and Co-op.

US insurers including Aflac, Erie Indemnity and Philadelphia Insurance have also been under siege from the group — all hit in what appeared to be co-ordinated attacks during a five day period last month.

As yet Qantas has received no ransom demand, nor has the stolen information been shopped for sale on the dark web.

But that’s not to say the 6 million individuals caught up in the attack are in the clear — and Ms Hudson stressed that vigilance was critical.

“That is obviously the reason why we acted so quickly and so transparently with our customers,” she said.

Within hours of the suspicious activity being confirmed on Monday, Ms Hudson said she notified her chair, John Mullen, and the government.

“We are continuing to work really effectively with the government cyber teams and also the AFP because this is a criminal matter,” she said.

Experts agreed that Qantas customers risk being targeted by follow-on social engineering attacks.

This includes potential credential stuffing – the same method hackers used earlier this year to siphon hundreds of thousands of dollars of retirement savings from Australian industry super funds.

Ms Hudson described her “concern and great regret” the attack had occurred, but she said Qantas’ response would help the airline’s mission rebuilding trust.

“Trust is something that has to be earned both in the good times and also in the hard times and I think in the hard times in this context and where we’re at, the way in which you continue to support customers being transparent with them, being open and being supportive goes to an important part of customers’ understanding that we’re focused on them, even in the hard times,” she said.

Customers were reassured Qantas’ systems were now secure, with more details of the extent of the data breach for individual customers expected next week.

Until then Ms Hudson encouraged customers to visit the Q&A on the website and app, and call the customer support line.

“I mean this is an increasing global threat for organisations and for all of us in the modern digital world and we have to learn from these events,” she said.