Qantas hack includes Chairman’s Lounge membership data
By Chris Zappone
Hackers who stole data from nearly 6 million Qantas customers have information about the airline’s lounge memberships tiers, including those in the exclusive member-only Chairman’s Lounge.
Qantas has determined that 5.7 million customers had records in the system that was accessed by hackers, including information on frequent flyer accounts, addresses and even the food preferences of thousands of travellers.
Hackers gained access to the data of millions of Qantas customers.Credit: istock
In a new disclosure on Wednesday, Qantas confirmed that the “majority” of a subset of 2.8 million customer records had name, email address and frequent flyer information, including the level of Qantas membership of the affected customer.
The stolen information on membership tiers includes whether the frequent flyer is a member of the Chairman’s Lounge.
Membership in Qantas’ Chairman’s Lounge has historically included MPs, the prime minister and leaders of the largest corporations in the nation.
Chairman’s Lounge membership has been the source of controversy in recent years, with concerns the airline used it as a way to influence opinions of policymakers who would oversee regulations with a direct effect on Qantas.
Qantas does not publish the total number of members of the invitation-only lounge, whose members also include senior bureaucrats, judges and a range of other VIPs and celebrities.
The lounge is the top-level tier after platinum, gold, silver and bronze. A customer needs to be at the gold tier or above to enter Qantas’ other lounges, or to have bought a Qantas club membership.
The new detail about the data breach was contained in the broader release of information on the scale of last week’s hack of Qantas customer data.
About 4 million of the 5.7 million records were limited to name, email address and Qantas frequent flyer details only, the airline said, but a smaller, unspecified, subset had “points balance and status credits included”.
Within the 4 million figure, 1.2 million customer records contained only their name and email address.
Qantas’ top-tier, invitation-only Chairman’s Lounge in Brisbane.Credit: Lucas Muro
The data exposed from around 1.7 million Qantas travellers contained a combination of their address (1.3 million), date of birth (1.1 million), phone number (900,000) and gender (400,000), and some – about 10,000 – even had their meal preferences hacked.
A week after the incursion into its database, Qantas said the airline could “reconfirm” that no credit card details, personal financial information or passport details were stored in the system affected “and therefore have not been accessed”.
“There continues to be no impact to Qantas frequent flyer accounts. Passwords, PINs and login details were not accessed or compromised. The data that was compromised is not enough to gain access to these frequent flyer accounts,” Qantas said in a statement.
Last week, after detecting unauthorised activity on a “third-party platform” used by the airline’s contact centre in Manila, the airline called in cyber investigators and began notifying members. On Monday, Qantas said that “a potential cybercriminal has made contact” with the airline.
Hacked data is often used for further digital fraud. Rob Dooley, vice president of cybersecurity company Rapid7, notes that stolen information on its own is “relatively innocuous”.
“It’s when you correlate it with other data such as passwords matching those credentials from other breaches that it becomes valuable.
“It was connecting email addresses used as usernames and hoping those users didn’t have two-factor authentication and had not changed their passwords,” said Dooley.
This tactic was used in recent attacks on Australian superannuation funds, such as Australian Retirement Trust, AustralianSuper, HostPlus and Insignia Financial.
Qantas claims 17 million frequent flyer members globally.
Too early to discuss compensation: Qantas chief executive Vanessa Hudson.Credit: Bloomberg
The Qantas data breach also follows cyberattacks on Optus and Medibank Private in 2022. The criminals who breached Medibank Private began posting customer data online to coerce the health insurer into paying a ransom.
Qantas CEO Vanessa Hudson said the airline had purged data in the aftermath of the damaging hacks of Optus and Medibank in 2022.
“The data we were deleting was more personal identity data that has been historically held in our system, such as passport details and also other relevant identity data.
“That has been an action that we took as a result of the Optus and the Medibank cyberattack,” Hudson said, without detailing the volume of data.
Hudson said it was too early to discuss compensation for affected Qantas travellers, as the company was focusing on updating them about the breach.
“By far the majority of customers have said ‘the next piece of information that I want from Qantas is the specific details of my data that was breached’, which is what we’re doing today,” she said.
As Hudson spoke, Qantas sent personalised emails to customers detailing what data was breached.
“Our cybersecurity teams have undertaken an investigation and we can confirm that the following types of your data held on the compromised system was accessed,” one email read, outlining that the customer’s name, email address and tier of frequent flyer status had been breached.
Hudson would not reveal anything about the cybercriminals behind the hack, saying it would be unhelpful to speculate. She referred questions to the Australian Federal Police.
The AFP confirmed it was investigating the incident following a request from Qantas.
Credit: Matt Golding
“Investigators are working closely with the airline and further comment will be provided at an appropriate time,” a spokesperson said.
It is understood that the Australian Signals Directorate is also assisting in the response.
Qantas urged customers to “remain alert, especially with email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas”.
“Always independently verify the identity of the caller by contacting them on a number available through official channels,” it said.
The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.