Qantas hack will haunt affected customers for a long time, experts warn
Qantas customers caught up in the data breach are under increased risk, with experts warning that the information stolen from the airline could be used to target accounts they hold at other high-profile brands.
The airline on Wednesday said that 5.7 million customers had their information accessed by hackers last week, including information on frequent flyer accounts (including membership tier status: bronze, silver, gold, platinum or Chairman’s Lounge), addresses and even the food preferences of thousands of travellers.
US-based cybersecurity company Arkose Labs’ chief executive Kevin Gosschalk told this masthead the stolen information could potentially be used to break into accounts the affected Qantas customers have with retail, grocery and luxury brands.
A Qantas plane at Sydney’s airport. Credit: Wolter Peeters
“It’s not about targeting Qantas, it’s about how else can scammers now go and scam the information and the individuals who had their information,” said Brisbane-born Gosschalk.
“It’s going to be a problem for customers for many years to come.”
With the Qantas data now out in the wild, criminals “have a very clean, very targeted list they can go use to try and compromise other industry and other company accounts in Australia”, warned Gosschalk.
Gosschalk, whose company counts airlines and large corporations as clients, added the stolen membership status data would be especially lucrative for hackers, allowing them to home in on more high-end accounts.
“That is a hyper-targeted list for a scammer to go and try to compromise a multimillionaire’s accounts. That data is way more useful targeting the victims, than targeting the airlines.”
Gosschalk added the data can be used to “stack-rank people’s wealth”.
“And you’re going to want to scam the richer people because they have more money,” he said.
Qantas does not publish the total number of members of the invitation-only Chairman’s Lounge. But its members include Prime Minister Anthony Albanese, MPs from all parties, chief executives, senior bureaucrats, judges and a range of other VIPs.
The airline has not indicated the number of frequent flyers’ tier data released, other than to say that the “majority” of 2.8 million customer accounts with name, email address, and frequent flyer number included the passenger’s tier.
“Tier status and points balance reveal spending behaviour and loyalty value,” said loyalty program review site The Champaign Mile’s Adele Eliseo. “These are meaningful data points that can be used to flag high-value accounts.”
Frequent flyer programs are typically the primary targets of hackers eyeing airlines because the programs are the “store of value” that an attacker can comprise and convert into money.
In 2022, an IT provider for Philippine Airlines was breached, losing details on thousands of frequent flyers. The same year, five Singapore Airlines’ frequent flyers had their accounts hacked with their points stolen, before the airline reversed the loss.
While producing a “target list” of future scam victims is one potential consequence of last week’s hack, the stolen accounts, stolen points, and tickets purchased with stolen points can also be sold for value on the dark web.
One Qantas Point can be worth up to 5¢ when redeemed with 200,000 points sitting on up to $10,000 in value, according to Eliseo. Those same accounts are sold for about 5 to 10 per cent of the value on the dark web.
The data needs protection: Airline darkweb chatter shows how stolen air miles are sold by scammers. Credit: Arkose Labs
The vast application of loyalty points mean they can also be converted to gift cards at vendors and for rentals, which are harder for authorities to trace.
“This breach exposes how important it is for consumers to start treating their points as financial assets and to take steps to protect them,” said Eliseo. “But we also need loyalty programs and regulators to step up and start providing the safeguards we expect from financial institutions.”
“In recent years, there’s been a surge in the monetary value held inside loyalty ecosystems, but security standards are often lagging behind.”
Eliseo said it’s standard for loyalty programs in Australia to include full membership numbers in emails but in financial services, this information would usually be suppressed. “The difference points to a gap in data protection standards.”
In a survey of IT investment priorities of airlines by the member-owned aviation tech company SITA, only 22 per cent listed cybersecurity. By contrast, 55 per cent named air and operations, control centre systems and real time flight optimisation tools.
Stolen air miles for sale on the dark web. Credit: Arkose Labs
While using fraudulent emails to trick a person into giving up valuable credentials, known as phishing, was a primary method of cybercriminals. Now criminals are using generative AI to create entire phishing websites, or use auto-diallers to contact potential victims en masse.
“They’re using those tools to basically scale fraud,” said Gosschalk.
“So you can do it now at ‘bot scale’.” A scammer can hit all six million people in the day rather than having to manually call six million people which will take me months, he said.
Qantas reiterated on Wednesday that no credit card details, personal financial information or passport details were accessed. “There continues to be no impact to Qantas Frequent Flyer accounts.”
The airline recommended that customers “remain vigilant to any misuse of their personal information” and “remain alert, especially with email, text messages or telephone calls”.
Qantas customers should stay informed about the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch webpage, the company advised.
As of Thursday, the hacked data does not appear to be released despite a potential cybercriminal approaching Qantas.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.