QANTAS Cyber Incident

[kookaburra75]

Tell me - what should the board have done to avoid this?

I would have expected that the Risk and Audit Committee of the Board would have signed off on the risk profile of the contracts they were signing into, given the catastrophic consequence/extreme risk level rating of a failure like this, on Qantas' reputation, and potentially exposure to a hefty fine - and a fine can't be claimed as a business expense, so it hits profit.

I suspect though, given the Board's behaviour in the past, it was something they didn't think, to think about.

 

[CMak]

I’m anoyher one with two emails from Vanessa. I also haven’t had dealings with Qantas other than having a small amount of points being transferred every month from a credit card to keep the account ticking over.

 

[msam95]

Honestly I don’t think people who have chatted to a Manila call centre for flight bookings are affected, based on the media releases it merely comes off as anyone who’s got a SR number from the qantas frequent flyer/ qantas business rewards/ qantas online mall etc teams would have been affected. But I would be curious to know if someone had an SR about let’s say a flight booking original routing credit or something, how much of that info was visible

And yes I’ve already got both emails advising im affected lol, I’m keen to get a new frequent flyer number generated, in addition to what will be a customer care matter, but I don’t want to get warmly referred to the sub optimal call centre again, so will be interesting to see how they handle it

Oh do I miss the days when qantas frequent flyer was in house (before 2018) and the lovely Auckland staff were the staff actually helping and resolving concerns.

 

[DejaBrew]

It's often easy to be a part of a mob with pitch forks. In situations like these, I try to remember there was an individual that made a mistake and how it might feel for them. I recall that situation where the radio station made a prank call to a London Hospital where a Royal was admitted, impersonated someone and got put through by a (probably overworked, tired) staff member who had a lapse in concentration trying to do the right thing in their job. In that situation, the nurse ended up taking their own life, probably due to some of the media scrutiny and pitch-fork frenzy that ensued.

Indeed. I'm sure that the individual(?) at the heart of this is feeling lower than low right now.

 

[Supersonic Swinger]

Just a heads up for everyone else caught up in the hack. I just received an email offer from Qantas for a $99.50 credit on a NAB cc. Click on the "Claim Now" button. Very slick email, my FF status etc was noted. So its started.

""From the email.
How to Claim Your Gift:

• Click on "Claim Now" to begin.
• Follow the simple 3-step process to redeem your coupon.

Things to Know Before You Start:

• This gift coupon can be redeemed only once. Please do not share the link with others.
• You will need to verify your billing address.
• Choose your preferred method for redeeming the coupon.
• Complete SMS Verification to confirm your payment details.
• The coupon balance will be reflected on your statement within 24 business hours.

A quick way to know that this didn't come from Qantas is that it was missing the usual "Hurry! Act now to take advantage of this amazing offer" hyperbole Qantas use to create a false sense of urgency around their marketing campaigns.

 

[msam95]

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

In past roles Ive worked with offshore partners that have the security in place such as not allowing personal mobiles into the lab or call centres, but this clearly isnt the case with MindPeral in Manilla.

Many of the workers answering Qantas calls appear to be WFH, Ive heard roosters crowing, dogs barking and kids giggling/crying, tv/radio all in the background when calls have been answered by Manilla.

Just because there have been other leaks doesn't mean there shouldn't be consequences for this one, they haven't learnt anything from other failings.

And no this exact combination of data has not been leaked for me before in past breaches. I dont use real DOB on social media, and use different emails for websites than I do for financial transactions.

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

In past roles Ive worked with offshore partners that have the security in place such as not allowing personal mobiles into the lab or call centres, but this clearly isnt the case with MindPeral in Manilla.

Many of the workers answering Qantas calls appear to be WFH, Ive heard roosters crowing, dogs barking and kids giggling/crying, tv/radio all in the background when calls have been answered by Manilla.

Just because there have been other leaks doesn't mean there shouldn't be consequences for this one, they haven't learnt anything from other failings.

And no this exact combination of data has not been leaked for me before in past breaches. I dont use real DOB on social media, and use different emails for websites than I do for financial transactions.

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

In past roles Ive worked with offshore partners that have the security in place such as not allowing personal mobiles into the lab or call centres, but this clearly isnt the case with MindPeral in Manilla.

Many of the workers answering Qantas calls appear to be WFH, Ive heard roosters crowing, dogs barking and kids giggling/crying, tv/radio all in the background when calls have been answered by Manilla.

Just because there have been other leaks doesn't mean there shouldn't be consequences for this one, they haven't learnt anything from other failings.

And no this exact combination of data has not been leaked for me before in past breaches. I dont use real DOB on social media, and use different emails for websites than I do for financial transactions.

Mindpearl doesn’t have a contact centre in Manila.
The frequent flyer contact centre is run by TeleTech!
Back in the day when Manila did live chat before COVID, it was run by Stella BPO (Now ProbeCX). I can’t advise if this is still the case for the reservations Manila team as of 2025.

 

[2APlease]

Although retired, I still consult on cyber security. Here are some questions that Qantas should be asked.

• Are all QF"s IT systems compliant to the Australian Signals Directorate Essential Eight maturity model?
• If so, at which maturity level (1 (basic), 2 (better), 3 (do if you are a value target)?
• Does Qantas require their sub-contractors to meet E8 L2 at a minimum?
• Do all Qantas employees and sub contractors staff get mandatory social engineering training and testing annually?

If Qantas can't answer affirmatively to these, then they are not even doing the basics. Bet on it!

That said, I'm not losing sleep as my passport details are in so many hotels across the world and also my drivers licence in as many car rental places that the lost data is nominally public knowledge. But my QFF number less so.

The issue with this breach is that it is a bulk file of 6M records making exploitation easy and even if 0.1% of attacks using the data are successful then millions will be stolen.

 

[moa999]

Full Name, DOB, residential address, Account numbers etc.

Pay a few $s for an ASIC Report and you'll get most of that.

 

[ab156]

It is very hard to brute force when the account locks after 3 incorrect attempts, and requires a call to unlock ...

to the same call centre that created the issue via a voice attack in the first place. Feeling much better now

 

[SeatBackForward]

Pay a few $s for an ASIC Report and you'll get most of that.

Seems I can save those few $ and just ring up Qantas for it.

 

[SeatBackForward]

I would have expected that the Risk and Audit Committee of the Board

Their job is mostly to cough cover execs and directors of the company by pointing to their committee and documents they have consultants write as "Risk Management policies and framework". I'd be gobsmacked if any of them on the committee even knows what Qantas does.

 

[SYD]

Just received a 2nd "we believe your personal information was accessed" email. But must be for my QBR account because its a different email address to my primary QFF account.

Alas, that's the email address I've been meaning to roll over a bunch of FF accounts to....

 

[Princess Fiona]

I’ve received emails about this to two separate email addresses. One to the email associated with my FF account from “qantasff @“ etc and another to an email that is not associated with my FF account but which has been the contact email in some international 081 itineraries. The latter is from “loyalty@qantas” etc.

 

[SYD]

I’ve received emails about this to two separate email addresses. One to the email associated with my FF account from “qantasff @“ etc and another to an email that is not associated with my FF account but which has been the contact email in some international 081 itineraries. The latter is from “loyalty@qantas” etc.

Do you have a QBR account? see my previous post moments ago...

 

[Princess Fiona]

Just received a 2nd "we believe your personal information was accessed" email. But must be for my QBR account becuase its a different email address to my primary QFF account.

Alas, that's the email address I've been meaning to roll over a bunch of FF accounts to....

Interestingly the second email address of mine that they contacted has absolutely no connection with QF other than ticketing.

 

[Bandicoot]

So, within 36 hours the team identified "additional security measures" and were able to "strengthen system monitoring and detection.".

That is incredible work and the truth that the requirement for this investment in technology was previously not known, identified or discussed will be simple to justify when the representative proceeding commences.

Sharing with the hubby - IT Infrastructure Manager and CSO of a large organisation

 

[ab156]

Unless qantas decide to unilaterally stop redemptions, points transfers, etc., is anyone really "impacted"?

I trust the 2-FA to do the work and protect accounts.

Perhaps you have missed the point, this data will be matched with other data, both that you may have shared and that has been caught up in other breaches, at some point the facade of individual security falls away... spend 5 minutes look at RAINBOLT and other examples. With the data leaked it is extremely easy to geolocate you.

It is almost guaranteed that your FF points are the least valuable thing at risk.....

 

[Dvg]

I must be on a lucky streak, I’ve dealt with Manila many times over the years and have never really had any issues with service. Guess that’s about to change, just got the second email….

 

[Pushka]

I don't think whether or not you've dealt with Manila makes any difference. I suspect everyone has been impacted.

 

[lovestotravel]

free credit monitoring might be the biggest scam in all of this...

Oh yes, why exactly is that...........