QANTAS Cyber Incident

[RooFlyer]

Jokes on them, my profile data is years out of date!

Oh. You've changed your date of birth and you've changed your e-mail from the one Qantas has? That must make bookings a bit tricky.

 

[kangarooflyer88]

First time reading @kangarooflyer88’s posts?

Do you know who I am? No serious I thought you might know my name and identity given the data breach!

 

[kookaburra75]

First time reading @kangarooflyer88’s posts?

Yes, I should have known better I should have twigged at the blood type

But, I am writing to Qantas to get some clarity.

 

[kangarooflyer88]

Can you clarify that this is not a joke? Hard to tell in here sometimes, and I can see some members have left “Laugh” reaction emojis.

I thought the blood type and breakfast item at Qantas Chairman’s lounge was enough. I suppose I should’ve added Safe Word When Uncle Alan is around to the list just so that it is completely over the top!

 

[justinbrett]

Oh. You've changed your date of birth and you've changed your e-mail from the one Qantas has? That must make bookings a bit tricky.

Not concerned about those fields of data.

Data breaches happen all the time. Mine were leaked in the MGM breach in 2023, courtesy of the same crime gang that has now targeted QF.

I don’t think people realise how often this happens, and it’s only some times you get told it happens (especially for smaller companies).

Residential address is really the one field I’d prefer not to be leaked but I’m so lazy I haven’t changed it on most sites since moving last year (I still have a mail redirection).

The email I have on Qantas isn’t the one I use but it is redirected to it, so easily changed. I won’t bother though.

 

[RooFlyer]

Data breaches happen all the time. Mine were leaked in the MGM breach in 2023, courtesy of the same crime gang that has now targeted QF.

Sure, but its the aggregation of data 'out there', and updating of some fields (ie I've changed my Qantas e-mail over the past year) that is the problem. The IDCare advice of 'don't worry, this data can't be used to hack your bank accounts or credit cards' is risible. I think of it like the 'swiss cheese' model of accidents - eventually the holes (data) will line up and some malevolent actor will be able to get through to something important. I'd rather Qantas didn't facilitate that.

If this data is not of value to them, presumably the hackers would just chuck it away and move onto the next target.

And personally, I'm not of the group thinking 'this happens all the time <shrug>'. Many crimes happen all the time, unfortunately and I'm never going to think 'yeah, whatever', especially when I'm a victim.

 

[justinbrett]

Sure, but its the aggregation of data 'out there', and updating of some fields (ie I've changed my Qantas e-mail over the past year) that is the problem. The IDCare advice of 'don't worry, this data can't be used to hack your bank accounts or credit cards' is risible. I think of it like the 'swiss cheese' model of accidents - eventually the holes (data) will line up and some malevolent actor will be able to get through to something important. I'd rather Qantas didn't facilitate that.

If this data is not of value to them, presumably the hackers would just chuck it away and move onto the next target.

And personally, I'm not of the group thinking 'this happens all the time <shrug>'. Many crimes happen all the time, unfortunately and I'm never going to think 'yeah, whatever', especially when I'm a victim.

Can’t do much with with name, email and DOB. I could list this for about half of my real friends and probably more than half of my Facebook friends.

I’d really only be worried about anything financial and my institutions are like Fort Knox, annoyingly so most of the time.

It’s just stupid to think you can open credit in 2025 with just this information, and sure if my DL or passport leaked I’ll worry about THAT but not this. Even then there have been many changes implemented since the Optus leak, the QLD government implemented a separate drivers licence card number separate to the licence number (which some states had already) and most are going to require to sight the actual ID, or at least a scan of it. You don’t think with the scale of these leaks (not just QF) that Australian companies might pay due diligence and improve their identification and verification requirements?

I’m in the camp that security needs to be increased at the access point. The ship has already sailed on the data IMO.

 

[3littlpigsfly]

Address, name, email, QFF #, Tier, DOB, Phone, Gender.
Angry doesn't express it.

My husband and I both had the same.
Not happy Jan.

 

[RooFlyer]

It’s just stupid to think you can open credit in 2025 with just this information,

Which no-one is saying, of course . Unfortunately you are still just emphasising this data hack, just like Qantas is. Ignoring the point being made by me (even in the post you quoted) and others that its data aggregation that's the worry. But you just keep up the line 'nothing to see here'.

nd sure if my DL or passport leaked I’ll worry about THAT but not this.

Ever stayed at a hotel overseas and had to leave your passport for a while or they took a copy? Few bucks to someone at an airport hotel should yield thousands of passports details. So, assume your is out there. How are you feeling now?

 

[justinbrett]

Which no-one is saying, of course . Unfortunately you are still just emphasising this data hack, just like Qantas is. Ignoring the point being made by me (even in the post you quoted) and others that its data aggregation that's the worry. But you just keep up the line 'nothing to see here'.



Ever stayed at a hotel overseas and had to leave your passport for a while or they took a copy? Few bucks to someone at an airport hotel should yield thousands of passports details. So, assume your is out there. How are you feeling now?

Feeling fine!

Being doing that for decades, never been hacked yet. Passport details change and I’m due for a new one anyway.

They don’t give you a credit card if you quote a passport number. They actually need to sight it. Again - increased security at the access point.

 

[RooFlyer]

They don’t give you a credit card if you quote a passport number.

Groan. Still missing the point.

 

[justinbrett]

Groan. Still missing the point.

I’m well aware of the situation and the requirement to get credit or really do anything in 2025. I need to use 2FA to do my Woolies shop. I know my JP by name as it seems I’m getting certified true copies done monthly these days.

No amount of hysteria is going to convince me to join the panic club.

 

[moa999]

Can’t do much with with name, email and DOB.

I’m in the camp that security needs to be increased at the access point. The ship has already sailed on the data IMO.

Agreed.

It's also about system design. There should be protections to stop anyone remotely downloading a database.

And database design should provide more protection (eg. Encryption) to partially sensitive data like DOB.

At least QF had seemingly done the right thing with passwords...

Still today I get emails using my password from the LinkedIn breach.. as if an old password is going to convince me to transfer Bitcoin to some unknown address.

 

[offshore171]

No amount of hysteria is going to convince me to join the panic club.

Gotta say I'm seeing a bit of Main Character Syndrome here

No one is asking that - it's not all about you. These data breaches can affect different individuals in different ways.

From the 6 million, there will be a small subset that have their data enriched against other sources to the point where it is useful, and/or a subset will be targeted for phishing/spearphishing and so forth.

Some of these victims will be less data security literate. There's a very broad range of people in a data set of 6m

It's not valid to proclaim "It's not damaging for me, therefore it's not damaging for anyone".

 

[Pushka]

I've not reached preservation age yet - can super accounts/SMSF's be drained using the key 9 points of data and/or similar social-engineering methods as Manila?

Good to see some folks can still make light-hearted jokes about bingo at this point... good luck all

We did a withdraw not long ago. Of course they also need to know how to log into your super fund account. Calling up with those details and the same. But email, dob, an ID and not much more was all that was required.

 

[justinbrett]

Gotta say I'm seeing a bit of Main Character Syndrome here

No one is asking that - it's not all about you. These data breaches can affect different individuals in different ways.

From the 6 million, there will be a small subset that have their data enriched against other sources to the point where it is useful, and/or a subset will be targeted for phishing/spearphishing and so forth.

Some of these victims will be less data security literate. There's a very broad range of people in a data set of 6m

It's not valid to proclaim "It's not damaging for me, therefore it's not damaging for anyone".

No I stated how I felt about the situation and one member wanted to change my mind. He hasn’t.

 

[drron]

As I have said your emails are exceedingly likely to be on the dark web. You can use the free site HaveIbeenPwnded to see. Here is my report.


I have a paid access as well and it says 12 times plus names the incidents. Half I was not aware of.
So I am in agreement with @justinbrett .

 

[mrsterryn]

As I have said your emails are exceedingly likely to be on the dark web. You can use the free site HaveIbeenPwnded to see. Here is my report.
View attachment 457154

I have a paid access as well and it says 12 times plus names the incidents. Half I was not aware of.
So I am in agreement with @justinbrett .

Interesting that Qantas isn't there yet for me
Fairly peeved about the thermonix one

 

[SYD]

As I have said your emails are exceedingly likely to be on the dark web. You can use the free site HaveIbeenPwnded to see. Here is my report.
View attachment 457154

I have a paid access as well and it says 12 times plus names the incidents. Half I was not aware of.
So I am in agreement with @justinbrett .

Interestingly, last time I checked a few days ago, none of my emails came back “pwned” despite being in multiple breaches.

The glass half full interpretation is not all data makes it out there. The glass half empty is the website only has the tip of the iceberg.

But @drron seems to be excelling. If that’s all for the same email - time for a new one (or three).

 

[offshore171]

As I have said your emails are exceedingly likely to be on the dark web.

Sure, but an email address in isolation is one thing.

Do they have it in a dataset, accurately matched against your Date of Birth, home address, private phone number, and so on. They quite possibly do now, thanks to QF.

That's when it gets more "useful" particularly if they use these fields as a primary key to then enrich against other leaked datasets.

Qantas hasn't done anyone any favours here.