QANTAS Cyber Incident

[Pushka]

I've been assuming that that was the extent of the area of data that the call centre operative allowed access to.



But thinking further (yes, dangerous I know), the subject of "offshore" databases, why would Manila need its own local database? Would not each agent 'log in' to the system in play and that data needn't be on a server a few km away?

Oh. Is it cheaper to store the data in the Philippines even if it means duplicating customer records ? Would Cape Town have its own local database, with some of my records on it if I've been shunted to them? Auckland? Hobart?

But not all data. So they chunked it off to Manila randomly?

 

[OATEK]

Still waiting for the very first email here.

Curious that 'only' 6 million data files were accessed. Why those 6 million? What made them vulnerable? Surely there is only one data base?

Now revised down to only 5.7m.

But not all data. So they chunked it off to Manila randomly?

There is a lot we do not know about how Manilla accesses the Salesforce instance, where its located, and what access levels they are afforded. As others have said, it could be anywhere, hosted in AWS or by Salesforce through their SaaS offerings.

Many in business and government use Salesforce (hosted by Salesforce) as the front-end or customer facing component, with the data then transferred to systems behind the organisations cyber barriers. So again, we don't know if the access at the Philippines' end was inside our outside the primary QF network.

 

[33kft]

There's an assumption people are making that there needs to be some separate Salesforce partition for Manila for the dataset to be limited to a subset of customers/details but I wonder if people have considered that when you gain access via an employee's credentials, your access is limited to what they have access to and under the principle of least privilege access, they may have only had access to a subset of the Salesforce data.

I know for me, for example, I am generally limited by region at my last two employers but can access out of region info as I am required to on an exception/request basis. Obviously airlines are different to technology companies but I am sure there are some similar approaches taken to limit "blast radius".

 

[Aeryn]

Still haven't received email verifying what was stolen, so frustrating.

VH was repeating the same "we are helping customers" line on all the late night news programs last night. Wish journalists had courage to all bs on this claim.

Qantas isn't helping customers, they haven't offered any useful tangible help i.e. credit monitoring or guarantees that they hove removed unnecessary PII like DOB from the system that was compromised.

Failing to even tell me what data was exposed in a timely manner is not helpful. Vague statements are not helpful.

 

[MEL_Traveller]

Still haven't received email verifying what was stolen, so frustrating.

VH was repeating the same "we are helping customers" line on all the late night news programs last night. Wish journalists had courage to all bs on this claim.

Qantas isn't helping customers, they haven't offered any useful tangible help i.e. credit monitoring or guarantees that they hove removed unnecessary PII like DOB from the system that was compromised.

Failing to even tell me what data was exposed in a timely manner is not helpful. Vague statements are not helpful.

Is it frustrating though?

I haven’t received the third email but I’m just assuming I’ve been impacted at the higher level. Nothing much that can be done, the only real thing of possible concern is DOB, which I’m sure is already out there from other data breaches.

Essentially… what’s the difference in getting an email, or not? We should all be applying 100% vigilance to any emails coming in these days, and not clicking links unless we’re sure of the authenticity.

 

[lovestotravel]

No 3rd email here for mine or the +1 accounts, despite getting the first 2 emails!

VH was repeating the same "we are helping customers" line on all the late night news programs last night. Wish journalists had courage to all bs on this claim.

Qantas isn't helping customers, they haven't offered any useful tangible help i.e. credit monitoring or guarantees that they hove removed unnecessary PII like DOB from the system that was compromised.

Failing to even tell me what data was exposed in a timely manner is not helpful. Vague statements are not helpful.

They can't/won't remove DOB from the system, as it's used to identify customers, the way Salesforce displays data to end users/contact centers is with all details visible.

Again, QF should be offering 12 months credit monitoring to the customers who DOB was leaked, but they simply won't and don't care.

As for helping customers - The Media usually has little idea about what they are reporting on, so they think the help offered with a pointless customer service number and by referring people to Scamwatch, Cyber and IDcare is great. In reality it's not even worth clicking on the websites as they will not do a thing.

 

[justinbrett]

We can probably do without all the posts of people saying they haven’t received an email. Let’s just assume you haven’t unless you post otherwise.

 

[Aeryn]

Essentially… what’s the difference in getting an email, or not? We should all be applying 100% vigilance to any emails coming in these days, and not clicking links unless we’re sure of the authenticity.

The difference is knowing the breadth of things to monitor and knowing which things that can be changed should be changed i.e. I can get new mailing address. If there are any linked accounts from transfer i.e. i have to get manual intervention every time i transfer form Hilton to QFF then I can also get those member number changed.

And not to mention just delivering on the promise to confirm information and stop lying about proving any actual useful help apart from media lip service.

They can't/won't remove DOB from the system, as it's used to identify customers, the way Salesforce displays data to end users/contact centers is with all details visible.

This just simply isn't true. DOB does not have to be a mandatory field and call centre staff dont need to see this or ask for it every call. There are better ways to verify you are speaking with an existing customer this isn't 1900 its 2025

You enter your FF# and PIN in the IVR a computer validates that, plus system can also see you are calling from the mobile number on your account; so when you get connected to an operator you should already be validated. If your call is about something more sensitive then they can initiate a 2FA and you can read back a one time code that you got via SMS or email (or approve via an app like Macquarie banks does).

When I call my bank i never need to quote my DOB or address because of the validation done on the IVR/App before you even get to speak to a person. Zero reason Qantas cant do the same.

In fact i notice when i get Hobart they usually say something like I can see your have already been validated by PIN and they dont seem to ask. But the offshore call centres always seem to ask to validate again so why have the PIN on the IVR in the first place?

Also you can MMB online with simply a PNR and Surname, virtually no security to see APIS, change seat allocation, meal preferences, add/cancel extra luggage, check-in. If that doesnt require DOB why does calling to say hey i never received the 150 points form the Surf Living Saving promo require this.

It is over reach, DOB is required for international ticketing and international check-in it is not for most FF enquiries.

.

 

[MEL_Traveller]

The difference is knowing the breadth of things to monitor and knowing which things that can be changed should be changed i.e. I can get new mailing address. If there are any linked accounts from transfer i.e. i have to get manual intervention every time i transfer form Hilton to QFF then I can also get those member number changed.

And not to mention just delivering on the promise to confirm information and stop lying about proving any actual useful help apart from media lip service.

If we had to change mailing addresses after every data breach I’d run out of places to get mail sent to!

Any loss of points is going to be rectified by the companies concerned. So I’m not sure how much of an issue that is, other than the inconvenience. Which is probably less than changing my mailing address and trying to remember which addresses are with each of the dozens of service providers I have.

 

[offshore171]

This just simply isn't true. DOB does not have to be a mandatory field and call centre staff dont need to see

It's an ICAO requirement. (International Civil Aviation Organization)

 

[Aeryn]

Any loss of points is going to be rectified by the companies concerned. So I’m not sure how much of an issue that is, other than the inconvenience. Which is probably less than changing my mailing address and trying to remember which addresses are with each of the dozens of service providers I have.

I do not think you can assume lost points in non Qantas programs will just be "rectified", even people who have had Qantas points stolen in past have had protracted processes and not always been successful in getting them back.

Having email proof from Qantas re what was stolen specific to you will however give more validity to any such request than just verbally saying oh Qantas was breached.

If you have the info you can decide what is and isnt too much trouble to change. I agree this is different for different people.

Im kind of sick of reading people saying not important to know as this Info already leaked in other breaches, that simply isn't true for everyone.

 

[openseat]

I have had an ever growing wave of spam calls, especially yesterday and today, since this breach, as well as an increase in phishing emails. It was the same pain as after the Optus leak. Hopefully the government gives a heavy fine to each director of the company for failure to ensure adequate security. I'm sure if all the time for these spam calls and emails was added up the cost to the economy would be huge.

 

[oz_mark]

It is over reach, DOB is required for international ticketing and international check-in it is not for most FF enquiries.

It's not clear to me that this system was about servicing FF members. Given some of the data (meal preferences, addresses for misplaced baggage), it looks more general contact (that in many cases would be from an FF)

 

[SeatBackForward]

I have had an ever growing wave of spam calls, especially yesterday and today, since this breach,

So have I, but to a different phone number and email than the one use with QF. I don't think it's related to the QF breach but just business as usual for the scammers. If anything, maybe they're seizing the opportunity around the news to just step up their attempts?

 

[justinbrett]

So have I, but to a different phone number and email than the one use with QF. I don't think it's related to the QF breach but just business as usual for the scammers. If anything, maybe they're seizing the opportunity around the news to just step up their attempts?

The other thing is many spam calls, texts and emails are blocked by your carrier or email provider, and when they alter their tech it can lead to an increase in scams reaching you.

Telstra recently announced new tech and since then I’ve noticed a lot more calls, but many of them with warnings it is probably a scam. So perhaps these were previously blocked outright and now are being let through with warnings.

Either way correlation does not equal causation. A classic case of confirmation bias.

 

[Aeryn]

It's not clear to me that this system was about servicing FF members. Given some of the data (meal preferences, addresses for misplaced baggage), it looks more general contact (that in many cases would be from an FF)

Doesn't change anything, they dont need a DOB to validate customers who have a FF# and a PIN and 2FA set up on their account. Its lazy system design.

 

[offshore171]

Doesn't change anything, they dont need a DOB to validate customers

Agree there are other ways to validate customers, but they do need to store DOB in their systems. As mentioned it's an ICAO requirement. Furthermore if the airline services the EU, which QF does, they must retain this traveller data for 5 years.

 

[Aeryn]

Agree there are other ways to validate customers, but they do need to store DOB in their systems. As mentioned it's an ICAO requirement. Furthermore if the airline services the EU, which QF does, they must retain this traveller data for 5 years.

In ticketing system but not in the CRM. I stand by my lazy design comment.

Sensitive information should only be captured and stored for the purpose it was provided; there should be extra layers of access in order to view this data i.e. masking it on screen and only referencing it where needed to issue a ticket.

It is why i never go to RSL or other clubs, as they insist on scanning a copy of your photo ID to admit you as a guest. Im fine with someone eyeballing my ID but not copying it; there is zero reason they need a scan other than lazy system design. Clubs dont have sophisticated systems you are basically giving your sensitive information to everyone.

Similarly when hotels ask if they scan my passport I always say no. They can note in their system they have checked my ID but they dont need to make copy of all details.

 

[RSD]

You enter your FF# and PIN in the IVR a computer validates that, plus system can also see you are calling from the mobile number on your account; so when you get connected to an operator you should already be validated. If your call is about something more sensitive then they can initiate a 2FA and you can read back a one time code that you got via SMS or email (or approve via an app like Macquarie banks does).

I hope that they don't go down the one time code by SMS route as I can tell you from personal experience that the SMS often does not arrive to you before the one time code expires when you are in Egypt. I had to ring the ATO and explain to them that they would just have to bloody wait because I couldn't get on to MyGov from Egypt - first world tech is great only if you are in a first world country when you need it.

Post automatically merged: Today at 12:03 PM

I haven’t received the third email but I’m just assuming I’ve been impacted at the higher level. Nothing much that can be done, the only real thing of possible concern is DOB, which I’m sure is already out there from other data breaches.

I'm fortunate (unfortunate at the same time) that this is my first data breach - I haven't been with Optus, Medibank etc etc. Will see what happens...

 

[Aeryn]

I hope that they don't go down the one time code by SMS route as I can tell you from personal experience that the SMS often does not arrive to you before the one time code expires when you are in Egypt.

Customer can usually choose to receive by sms, email or app. The Macquarie bank App allows you to get one time codes without mobile coverage or internet access. Where there is a will there is a way.

Cant say I've ever needed to access My Gov when travelling, its only useful for downloading vaccination status before travel and submitting tax return which I don't do whilst overseas. YMMV,