QANTAS Cyber Incident

[Elroy77]

The sooner these companies are fined into bankruptcy for losing OUR information the better, they might not then send OUR information to third world countries to look after!

 

[Elroy77]

So someone in Manila fell for social engineering. Sigh.

Could you ask if any PNR details were exposed?

More like one of the low paid workers downloaded them all and now Qantas are saying they got “hacked” it’s like the politicians and celebrities posting cough on their social media saying they got “hacked”

Post automatically merged: Yesterday at 5:15 PM

Nah I’d prefer an upgrade to first class on every flight for the next year thanks.


Interesting that is 6 million and Manila so those who’ve not been dealing with Manila are fine. I’d love to know how long that goes back time wise as well!

I have never rang Qantas or emailed them or anything, I got the your details have been compromised email last night

 

[RSD]

The mods have merged my "who hasn't received a notification" thread into this one - no explanation given.

As far as how big this thing is and how it is going to affect us - we will probably just have to sit and wait. I remember with one of the cyber attacks that it was revealed weeks later that the hackers had gotten a lot more of peoples data than was first revealed - lets hope this isn't the case this time!

 

[RSD]

The only thing I could really do is change my email address; fortunately I was planning on doing this anyway as I was preparing in the next few months to break the shackles of the ISP email I have been using for three decades.

LOL - at least you get a choice! My ISP was bought out by another company which then was bought by a another company - and eventually it ended up being owned by TPG in Singapore - and they decided that they couldn't be bothered maintaining the old email servers so gave all the customers about 45 days notice that they were shutting the servers down and to find a new email provider. I had kept the same email address for over 25 years and so everyone around the world who knew me knew that they could contact me on that address - it was the only personal email address that I had ever had! Wasn't happy at all but nothing I could do about it.

 

[Aeryn]

But I think this was the saving grace, it was not the QF system that was accessed but the call centres separate system. At least credit cards / passwords etc weren’t included. It would be a much bigger world of hurt if they were.

Yes but if Qantas were allowing the outsourced call centre company to keep copies of QFF
members on their local system, their contract needs to insist that the call centre providers have equivalent safeguards.

Whenever you logon to your QFF account for a new device its triggers 2FA so a PIN leak less worrisome and can be reset easily unlike PII.

 

[gtrod]

Just going through my spam.

The first scam email with full name and DOB quoted for me was on Saturday 28th June. 2 days before Qantas say they were affected.

28th June is also when FBI put out an alert about airline sector being targeted:

https://twitter.com/x/status/1938746767031574565

I suspect more airlines have been compromised. I've flown with a lot of carriers over the years.

 

[dylarr]

This wasn’t a technical breach (hack)

Yes however this only considers the initial vector used by the attacker to gain access.

Downstream, there could be many technical breaches and deficiencies beyond the social engineering aspect. Some questions I'm sure those at Qantas are asking themselves:

- Does a call centre agent have a business need to dump 6 million customer records in a very short period of time? (broken access control, insecure design)
- Was the call centre system exposed to the wider internet, even if authenticated, and if so why? (security misconfiguration)

Social engineering attacks and technical breaches are not mutually exclusive. If one is successful, you want to have controls on the other to help mitigate.

 

[Quickstatus]

This wasn’t a technical breach (hack),

Still a massive security breach.

Reminds me of "a chain is as strong as its weakest link".

 

[justinbrett]

Still a massive security breach.

Reminds me of "a chain is as strong as its weakest link".

Yes, and that’s a human.

Hence my comment this could have just as easily happened to a QF employee.

 

[Quickstatus]

QF employee.

With so many processes outsourced I'm not sure if they exist.
......
A QF employee is bound by QF rules whereas an outsourced company's employee is not. But again it's not the employee, but the security processes in place to prevent the human error or malice.

Would in-house be better?. I don't know.

 

[TheRealTMA]

Still a massive security breach.

Reminds me of "a chain is as strong as its weakest link".

As a colleague noted “it was the evil CYBER CRIMINAL wot dunnit, nothing to do with us!”

 

[pauldab]

- Was the call centre system exposed to the wider internet, even if authenticated, and if so why? (security misconfiguration)

I can almost guarantee they were using some cloud based CRM like Salesforce.
Everything's in the cloud now which is fancy talk for your information is on someone else's server, not the company you do business with.

 

[dylarr]

I can almost guarantee they were using some cloud based CRM like Salesforce.
Everything's in the cloud now which is fancy talk for your information is on someone else's server, not the company you do business with.

If it was Salesforce (Qantas use Salesforce extensively across the group but haven't confirmed if this was the system involved in this breach), you can configure trusted IP ranges which would go a long way towards preventing these kinds of attacks - so hopefully where available these types of controls are being used.

https://help.salesforce.com/s/articleView?id=platform.login_ip_ranges.htm&type=5

 

[ABC1]

This is what happens when you outsource to a third world country.

But even worse is Hudson is nowhere to be seen. Yes her electronic signature is on the emails, but the first move in crisis management is to get out there and go on the front foot. Own the mistake.

They’ll no doubt offer something they think is a good deal, but they’ll get hammered in a class action lawsuit with firms no doubt drawing up a case as I type.

And be honest… tell what you knew and when.

 

[elanshin]

This is what happens when you outsource to a third world country.

But even worse is Hudson is nowhere to be seen. Yes her electronic signature is on the emails, but the first move in crisis management is to get out there and go on the front foot. Own the mistake.

They’ll no doubt offer something they think is a good deal, but they’ll get hammered in a class action lawsuit with firms no doubt drawing up a case as I type.

And be honest… tell what you knew and when.

I think we need to drop the rhetoric about offshoring. This type of stuff can and has happened here in Australia and just about everywhere in the world.

The rest i agree with.

On an interesting note, i got another email (same as the 2nd one) today. Plus i noticed extra 2FA authentication requests a lot more on Qantas FF related stuff atm.

 

[pauldab]

If it was Salesforce (Qantas use Salesforce extensively across the group but haven't confirmed if this was the system involved in this breach), you can configure trusted IP ranges which would go a long way towards preventing these kinds of attacks - so hopefully where available these types of controls are being used.

https://help.salesforce.com/s/articleView?id=platform.login_ip_ranges.htm&type=5

You're assuming they bothered to do so - I wouldn't be surprised if they tried then dropped it when it was found to be too resource heavy updating the whitelists as time went on.

The best implementation I've seen of a geoIP based security setup is what you can do with Microsoft Azure ID (now EntraID) where anyone outside the approved IP ranges are forced to use MFA.

 

[TheRealTMA]

This is what happens when you outsource to a third world country.

But even worse is Hudson is nowhere to be seen. Yes her electronic signature is on the emails, but the first move in crisis management is to get out there and go on the front foot. Own the mistake.

They’ll no doubt offer something they think is a good deal, but they’ll get hammered in a class action lawsuit with firms no doubt drawing up a case as I type.

And be honest… tell what you knew and when.

No it doesn’t. Third world countries can have strict security standards which are up to the commissioning company to check and enforce. Optus, Telstra, Banks in Australia have similarly been incompetent in their policy of security standards.

 

[Pushka]

But even worse is Hudson is nowhere to be seen. .

And invisibility was a major issue with Optus and from memory the CEO resigned later?

 

[justinbrett]

This is what happens when you outsource to a third world country.

Have you been to the Philippines?

I don’t think many people would class it as third world. I certainly wouldn’t.

 

[Vincimus]

But still, in a country with lots of economics pressures, if you offered someone in the call centre $20k for access, would it be such a hard decision for that person - no judgement? This is the mechanism for most HUM-INT breaches anywhere.