Qantas reveals extent of personal details stored on database that was subject to cyber attack
Qantas reveals extent of personal data stored on a customer database that was subject to a cyber attack, including addresses and frequent flyer points balances and status credits.
Qantas CEO Vanessa Hudson says she has taken personal accountability for the cyber attack on a customer database that accessed the data of 5.7 million people.
Although no credit card, financial or passport details were stored on the compromised platform, Qantas said a range of other personal data was on hand including name, email, frequent flyer number, birthdate, address, phone number, gender and – for about 10,000 – meal preferences.
Of the 5.7 million, 2.8 million customer records contained name, email address and frequent flyer number, as well as status tier in many cases with exclusive Chairman’s Lounge members among those caught up in the breach.
The invitation-only group including judges, politicians and celebrities is considered the top tier of the Qantas Frequent Flyer scheme ahead of Platinum One and Platinum, Gold, Silver and Bronze.
A small subset of those 2.8 million customers also had their points balance and status credits on the database.
Another 1.2 million customer records were limited to name and email, while the remaining 1.7 million records included a combination of data fields.
Of those, 1.3 million included an address; 1.1 million a birthdate; 900,000 records listed a mobile, landline or business phone number; 400,000 recognised gender and 10,000 customers had their meal preference recorded on the database, a detail which could also identify religion.
Customers who last week received an email advising their information was affected in the cyber breach, should expect further correspondence about what personal data was in storage.
To date there is no evidence that any of the data stolen had been released, but Ms Hudson said she understood the breach was of concern to customers.
“I don’t want to diminish the fact our customers trust us with looking after their data, and we are very focused on making sure we learn from this, that our systems are improved and the security around all of our systems is lifted as a result,” she said.
“Customers can feel confident that we have made the right steps to ensure that.”
In addition Qantas was looking at purging data from its systems more regularly, and uplifting more controls around contact centre access to sensitive data.
The move follows the revelation “an interaction” between the cyber hacker and the Manila call centre led to the data theft.
However, Ms Hudson said she was “personally taking accountability” for the breach.
“I sent six million emails last week (and) I’ve sent six million emails this week to address that, and I think that is the most important thing we can do to assure customers that we’ve taken it seriously,” she said.
“We will look after their data and improve our systems as a result of this, and support them when difficult situations such as this occur.”
Ms Hudson would not comment on the contact made by the potential culprit, which was under investigation by Australian Federal Police.
Chief scientist at software company Rapid7, Raj Samani, said companies subjected to ransom demands following cyber attacks should definitely not pay up.
“Firstly, you are supporting organised crime, and secondly there is no guarantee there will be any successful conclusion to the negotiation,” he said.
“Finally these groups are criminals so they are generally not very reliable. Despite receiving payment, many ransomware groups have a history of either providing decryption keys of insufficient quality or not providing the keys at all.”
Ms Hudson said Qantas remained in “constant contact with the National Cyber Security Co-ordinator, Australian Cyber Security Centre and the Australian Federal Police”.
“I would like to thank the various agencies and the federal government for their continued support,” she said.
A dedicated support line remained in place for customers on 1800 971 541 or 02 80280534.
More Coverage
Add your comment to this story
Qantas faces off against faceless opponent in cyber ordeal
Qantas has succeeded over its faceless opponent in court. But the breach highlights a systemic vulnerability many large Australian organisations face: a lack of oversight and control over data handled by third-party vendors.
Maurice Blackburn pursues Qantas breach
Qantas is facing legal action by Maurice Blackburn for compensation for millions of customers caught in a major cyber attack.
To join the conversation, please log in. Don't have an account? Register
Join the conversation, you are commenting as Logout