QANTAS Cyber Incident

[DejaBrew]

2 platforms Qantas use that immediately come to mind for me are Salesforce (as already mentioned by @sudoer) and Qualtrics (which is used for surveys/feedback). My hope would be that Qantas had implemented Single Sign-On with multi-factor authentication for both of these platforms.

In terms of Salesforce, short of obtaining actual login credentials, a physical data extract or - heaven forbid - there having been an incredibly inept implementation of security rules within the platform readily allowing external access, it would be incredibly difficult - not impossible, but certainly difficult - to obtain anything overly meaningful.

Qualtrics is likely an easier target given it's quite simple to make reports/dashboards publicly accessible with/without a password, but again, I would hope that Qantas had implemented at least the basics in terms of appropriate security roles/privileges.

Will be interested to see if this turns out to be a genuine "hack", a data breach by way of social engineering, or simply a breach resulting from incompetence in terms of system security?

 

[Flyerwin]

This is a good place to check, to see how you have fared in terms of your email address being out in the wild Have I Been Pwned: Check if your email address has been exposed in a data breach

All my details are out in the wild - my email is the least of my concerns lol. I've had scammers call already when it first happened. I monitor my credit rating closely...

 

[Aeryn]

Qualtrics dashboards wouldn't typically contain PII like DOB and email. Given QF have identified the nature of the compromised data, some sort of direct hack to local CRM, or spyware or data intercept for browser based system more likely.

We know the outsourced call centres dont directly use QF systems, rather their systems have APIs into QF systems to send updates and retrieve data hence they cant always do what QF call centre staff can.

It could be as simple as some Call Centre staff having spyware on their system after opening a dodgy website or email, intercepting calls to/from QF systems for customers who contacted in a certain time period.

 

[elanshin]

So, within 36 hours the team identified "additional security measures" and were able to "strengthen system monitoring and detection.".

That is incredible work and the truth that the requirement for this investment in technology was previously not known, identified or discussed will be simple to justify when the representative proceeding commences.

This tells you so much

Like why was this NOT done several years ago. Seems a lot of “doubting Thomas’” won the day until the actual event happened and then reactively they “spring into action” looking like Saviours when they’re really just been intellectually lazy

It's not generally digital security thats improved. Usually that side of things are very solid. Its more likely as people mentioned social engineering and thus tightening up protocols (and/or reminding people).

Unless there's another optus situation, its much easier to breech personnel in today's world than an actual digital system. It only takes 1 manager account to be compromised to pull a lot of data.

 

[Catweazle]

Someone over on OzBargain wanted them to gift 50k points "as an apology". Good luck getting that!

 

[33kft]

Someone over on OzBargain wanted them to gift 50k points "as an apology". Good luck getting that!

If they shut down the Manila call centre, I'd call it even

 

[DejaBrew]

Qualtrics dashboards wouldn't typically contain PII like DOB and email.

Don't disagree with this, but as you say, this is typically the case. I was mainly just highlighting that it's reasonably simple to make information publicly visible with little to no security via that platform.

 

[kamchatsky]

If they shut down the Manila call centre, I'd call it even

QF will use it as an excuse to move the Manila CC to an even cheaper place .....

 

[BrianQQ]

RIP. First it was Optus and now this? :\\\

 

[shak151]

Waiting for Executive Traveller's post to show how this is going to be a game changer for QFF members, like they promoted Classic plus last year

 

[Chief Wiggum]

I know they said no QFF accounts were compromised, and I guess we can choose to believe that or not - I mean.. they didn't know about this breach, so what else don't they know about yet.

But my favourite part is that QF still only allows a four-digit PIN as the account login credentials - in 2025. My password manager basically tells me "I'm sorry, Dave, I can't let you do that" whenever I'm in that entry in the database and begs me to change it to something that has meaning and even a modicum of security. Yes.. 2FA... but it doesn't mean that we can't have complex passwords also.

Then again.. I would be staggered if QF does anything meaningful to protect the login data it's untrusted to hold, such as hashing passwords, and per-user hash salting.

And let's not even contemplate QFF offering Passkeys, although perhaps that might be the security step change they can make for the sake of users.

I store as little personal information in my QFF account as possible, but it's still a treasure trove of details and juicy target for "hackers" IMO.

Qantas - please do better with account login security

thank you for coming to my TED talk

 

[Big John]

I monitor my credit rating closely...

Which company do you use for this ? Equifax ?

 

[Katie]

My guess is it's their CRM. Anyone know what they use? Salesforce?

I'd guess Salesforce. I've seen knowledge base articles come up in search results on the QF website that clearly come from Salesforce Knowledge. And you would not choose that product for KB unless you were using Salesforce for more, IMNSHO.

 

[Daver6]

2 platforms Qantas use that immediately come to mind for me are Salesforce (as already mentioned by @sudoer) and Qualtrics (which is used for surveys/feedback). My hope would be that Qantas had implemented Single Sign-On with multi-factor authentication for both of these platforms.

In terms of Salesforce, short of obtaining actual login credentials, a physical data extract or - heaven forbid - there having been an incredibly inept implementation of security rules within the platform readily allowing external access, it would be incredibly difficult - not impossible, but certainly difficult - to obtain anything overly meaningful.

Qualtrics is likely an easier target given it's quite simple to make reports/dashboards publicly accessible with/without a password, but again, I would hope that Qantas had implemented at least the basics in terms of appropriate security roles/privileges.

Will be interested to see if this turns out to be a genuine "hack", a data breach by way of social engineering, or simply a breach resulting from incompetence in terms of system security?

Access could be obtained in a multitude of ways. Let's just assume data from SDFC was exfiltrated. The attackers could have gained access to the network and moved laterally to an operators computer and hijacked sessions. Simply put, we just don't know at this stage and specifics are unlikely to be made public.

It's just a question of when, not if a breach is going to happen for companies. The question is, what are they doing to minimise the blast radius when bad actors gain access. With QF in this case, the answer was clearly not enough.

QF saying it was a 3rd party system, is just trying to deflect responsibility for like what is their own fault.

 

[33kft]

But my favourite part is that QF still only allows a four-digit PIN as the account login credentials - in 2025

While that is one of the inputs, it also requires FF# and Surname, which until today was a pretty high bar. Given the propensity for everyone to use email as the username and people's insistence on reusing passwords, I would be quite confident (again, until today) that they would have seen a much lower proportion of credential stuffing attacks.

The problem with complex, single use passwords as an answer is that it requires everyone to use them, and that is never going to happen.

I think today is a good day for QF to reconsider their approach, however from an optics perspective you really wouldn't want to be changing authentication approach for the FF portal at the same time as trying to calm the farm around points and bookings not being impacted.

Brute forcing 4 digit pins is not an option as accounts quickly get locked out but having FF# and Surname significantly lowers the bar. People likely reuse PINs so there would possibly be some accounts that could be stitched together across disparate leaks, but then MFA is another hurdle, they will likely need to port numbers as well, and that's only if the accounts aren't using an authenticator app and are using SMS.

 

[DejaBrew]

Access could be obtained in a multitude of ways. Let's just assume data from SDFC was exfiltrated. The attackers could have gained access to the network and moved laterally to an operators computer and hijacked sessions. Simply put, we just don't know at this stage and specifics are unlikely to be made public.

Very true.

 

[shak151]

Access could be obtained in a multitude of ways. Let's just assume data from SDFC was exfiltrated. The attackers could have gained access to the network and moved laterally to an operators computer and hijacked sessions. Simply put, we just don't know at this stage and specifics are unlikely to be made public.

It's just a question of when, not if a breach is going to happen for companies. The question is, what are they doing to minimise the blast radius when bad actors gain access. With QF in this case, the answer was clearly not enough.

QF saying it was a 3rd party system, is just trying to deflect responsibility for like what is their own fault.

It's often the internal systems that are the least protected, as application teams heavily rely on network-level security and ignore application-level security.

 

[Katie]

From the page they put up about it:



Fat lot of good any of the above will do when you've outsourced to the cheapest bidder offshore who's targeted by criminals from anywhere in the world...

The exec's who were part of the offshoring craze in the past decades should be brought back and held responsible for these, and all the hefty bonuses they received when they saved so much money for these companies should be used as part of the victim compensation payouts.

This would be part of their ISMS/ISO27001 requirements to inform interested parties of an incident.
I assume they're ISO27001 certified, even if they don't advertise it (couldn't find evidence from my quick googling; my employer doesn't publicly advertise our security certification lest it attract hackers and nefarious actors) and informing relevant parties is section 4.2 of the 27001 standard.

(Wow, who knew I'd ever use this knowledge on AFF? )

 

[henrus]

Received the first email about the problem:

I wanted to update you on a cyber incident that occurred in one of our contact centres impacting customer data. The system is now contained. For those customers whose information has been potentially compromised you will receive further communication from us shortly.

To all our customers, I would like to sincerely apologise that this has occurred.

There is no impact to Qantas' operations or the safety of our airline. However, we understand that when personal information is at risk, it can affect peace of mind, so we wanted to update all of our customers on what occurred and what we are doing.

What happened

On Monday, we detected unusual activity on a third-party platform used by one of our airline contact centres. We immediately contained the incident and can confirm all Qantas systems remain secure.

Our initial investigations show the compromised data includes some customers' names, email addresses, dates of birth and Frequent Flyer numbers. Importantly, no credit card details, personal financial information and passport details are held in the system that was accessed. No Frequent Flyer accounts, passwords, PIN numbers or log in details have been compromised.

What we're doing

We're working closely with government agencies and independent cyber security experts while we respond to this incident.

Support available

Contact our dedicated support line on 1800 971 541 or +61 2 8028 0534 for assistance, including specialist identity protection advice, or visit our webpage for more information.

If you have upcoming travel, there's nothing you need to do. You can check flight details anytime via the Qantas App or website.

We understand situations like this create genuine concern and we want you to know we are taking this seriously

Now wait and see for a second

 

[sudoer]

If the hackers can help me with my DONE4, I would be genuinely appreciative......

But aren't we all travel hackers here on AFF?

RIP. First it was Optus and now this? :\\\

Did you forget Medibank, Latitude, MediSecure (lol), ClubsNSW, Service NSW, Telstra, etc?

Waiting for Executive Traveller's post to show how this is going to be a game changer for QFF members, like they promoted Classic plus last year

Too busy posting clickbait about Qantas DSC....