QANTAS Cyber Incident

[Seat0B]

It's basically a case of one group of FF members arguing "...I'm more heavily impacted so you should have communicated to me earlier instead of pushing a "nothing to see here" agenda with those who had nothing overly meaningful leaked" vs another group of FF members who would be arguing "...why did you keep me waiting and worrying for so long before telling me I was on the lower end of the impact scale?"

Here’s another twist in the tail…
Mrs Jimmy got the 3rd email on Wednesday saying Name & Email data leaked.
Now today, Friday at about 5pm (trash time), she gets another one (4th), saying ooops, we leaked your Phone Number too…

Edit: And now I have a 4th email to also include Phone Number.

So I got email #3 at 2230 last night. Scored a healthy 10/11. I’ve never had a meal preference. Mr Seat 0A got 9/11 - gender and meals missing. Felt angry.

Then 30 mins later emailed #4. With only 4 items. Felt confused.

I bet QF did not select angry and confused as words they wanted their brand to evoke with customers the last time they did a brand workshop.

Come on QF not good enough.






Edited to resize the photos

 

[PineappleSkip]

could be that QF have set leaked accounts to force a PIN change

Didn't happen to me this afternoon, I got in fine.

 

[odysseus]

Interesting that Qantas isn't there yet for me
Fairly peeved about the thermonix one

It likely won't be - unless the thieves decide to put the database out there.

That is a site covered data that's been released typically on the dark web.

At this stage, QANTAS is the only one who has the knowledge of what has gone out as the data itself has not been released, and Qantas won't release that list to that site for privacy reasons.

 

[Cossie]

Didn't happen to me this afternoon, I got in fine.

Same here….

 

[zig]

I was also able to login without any issues.

 

[Zoneboarder]

Apologies if this has already been noted in the thread.

This morning I logged into Qantas and discovered that under the 'My Profile" tab a new section has been added - Check your data Cyber incident 2025.

This may be of use to those receiving conflicting notifications about which data has been leaked.

 

[Aeryn]

This morning I logged into Qantas and discovered that under the 'My Profile" tab a new section has been added - Check your data Cyber incident 2025.

This may be of use to those receiving conflicting notifications about which data has been leaked.

Unfortunately that section of the website contains no new information - it just lists the same fields that were emails BUT doesnt bother to tell you the value in the fields that was leaked.

Would like to know what specific addresses were leaked and what phone numbers were leaked and whether it was First name + Middle Name + Last Name (per ticketing) or just First name + middle initial + Last Name (per profile default).

 

[ozflier]

So I got email #3 at 2230 last night. Scored a healthy 10/11. I’ve never had a meal preference. Mr Seat 0A got 9/11 - gender and meals missing. Felt angry.

Then 30 mins later emailed #4. With only 4 items. Felt confused.

I bet QF did not select angry and confused as words they wanted their brand to evoke with customers the last time they did a brand workshop.

Come on QF not good enough.




View attachment 457413

Same for me - its unbelievable and makes me so angry!

 

[kookaburra75]

Simple. Use a personal algorithm related to the site such as AFFmember123#4$ etc.

There are many password managers including Norton etc but good idea to convert to newish passkey system if you can.

That's one lesson that I hope comes out of this. On the haveibeenpawned website, my email address has been in 12 past 'events', but I haven't suffered any losses. Mainly I think to practising a strong password hygiene, as I have worked in the assumption my email address and other details have been out in the wild for years (iTWire - You have zero privacy. Get over it.)

I use a process like @TheRealTMA so I have a different password for each site I use. That gets away from the problem where a criminal can reuse the same password to get into sites.

Some good information here Set secure passphrases | Cyber.gov.au

 

[bussyboy]

I had the same thing yesterday.
One explanation could be that someone tried to get in.
Another could be that QF have set leaked accounts to force a PIN change.
There may also be others.

Someone entered their qff number incorrectly, as your number. I know I've locked other people's accounts in places - including at work - many times before

 

[GrahamBRI]

That's one lesson that I hope comes out of this. On the haveibeenpawned website, my email address has been in 12 past 'events', but I haven't suffered any losses. Mainly I think to practising a strong password hygiene, as I have worked in the assumption my email address and other details have been out in the wild for years (iTWire - You have zero privacy. Get over it.)

I use a process like @TheRealTMA so I have a different password for each site I use. That gets away from the problem where a criminal can reuse the same password to get into sites.

Some good information here Set secure passphrases | Cyber.gov.au

Great recommendations and they definitely should be followed. The one remaining challenge we have though, is that with very enriched data sets being available to hackers, they don't need your passwords anymore. They simply use their social engineering techniques to bypass this vector. eg.

Hi, my name is ABC, my FF is, I have forgotten lost phone which has all my passwords encrypted on it...... my DOB is, my address is, my email is, my phone is, my medicare number is, my drivers licence is, my passport number is, my street address is....... can you reset my password.....

While many staff will be will trained to stop this attack vector, since we are talking about millions of customers data and 100's of thousands call center staff, some will get through...... they just did get through this vector, with the Qantas centre in Manila!!! This is the new frontier.

 

[There'sOnlyOneJimmy]

Someone entered their qff number incorrectly, as your number. I know I've locked other people's accounts in places - including at work - many times before

Yep, that’s another valid explanation

 

[Pushka]

Great recommendations and they definitely should be followed. The one remaining challenge we have though, is that with very enriched data sets being available to hackers, they don't need your passwords anymore. They simply use their social engineering techniques to bypass this vector. eg.

Hi, my name is ABC, my FF is, I have forgotten lost phone which has all my passwords encrypted on it...... my DOB is, my address is, my email is, my phone is, my medicare number is, my drivers licence is, my passport number is, my street address is....... can you reset my password.....

While many staff will be will trained to stop this attack vector, since we are talking about millions of customers data and 100's of thousands call center staff, some will get through...... they just did get through this vector, with the Qantas centre in Manila!!! This is the new frontier.

And I just wonder what information was provided at the initial phone call to Manila that resulted in being granted access to the data base. This is the actually the first data breach and not the 6 million FF'ers.

So how did those credentials to the data base get leaked?

 

[prozac]

And I just wonder what information was provided at the initial phone call to Manila that resulted in being granted access to the data base. This is the actually the first data breach and not the 6 million FF'ers.

So how did those credentials to the data base get leaked?

Early on I recall hearing on radio that someone called Manilla and claimed to be from the 3rd party data software providor. Somehow they convinced the local agent to grant them access. Before anyone tears me down, I am merely repeating what i heard on the radio and that access to the data was so easily granted. If true this is a major argument for having onshore call centres and local or local controlled software providers.
Oh, and changing the board for treating customer privacy so flippantly.

 

[Daver6]

Early on I recall hearing on radio that someone called Manilla and claimed to be from the 3rd party data software providor. Somehow they convinced the local agent to grant them access. Before anyone tears me down, I am merely repeating what i heard on the radio and that access to the data was so easily granted. If true this is a major argument for having onshore call centres and local or local controlled software providers.
Oh, and changing the board for treating customer privacy so flippantly.

What makes you think that being in Australia people don't fall for the same scams? It happens ALL the time.

 

[oz_mark]

Early on I recall hearing on radio that someone called Manilla and claimed to be from the 3rd party data software providor. Somehow they convinced the local agent to grant them access. Before anyone tears me down, I am merely repeating what i heard on the radio and that access to the data was so easily granted. If true this is a major argument for having onshore call centres and local or local controlled software providers.
Oh, and changing the board for treating customer privacy so flippantly.

The MO of Scattered Spiders (and people think they were behind it) is to impersonate a software provider of IT person. As per Crowdstrike (SCATTERED SPIDER Escalates Attacks Across Industries | CrowdStrike )

SCATTERED SPIDER operators routinely accurately respond to help desk verification questions when impersonating legitimate employees in calls made to request password and/or multifactor authentication (MFA) resets.

 

[lovestotravel]

Early on I recall hearing on radio that someone called Manilla and claimed to be from the 3rd party data software providor. Somehow they convinced the local agent to grant them access. Before anyone tears me down, I am merely repeating what i heard on the radio and that access to the data was so easily granted. If true this is a major argument for having onshore call centres and local or local controlled software providers.
Oh, and changing the board for treating customer privacy so flippantly.

Could easily happen here as well, pretend to be from the IT team, get them to install the Salesforce extension/app, share password/username and you are in...

You would also need the appropriate VPN/SASE to be able to use the system as well, and then having 2 users logged in at the same time.....

So many questions that will never get answered.

 

[flyingsal]

Some good advice here on monitoring breaches and passphrases instead of passwords.

I have a primary email account and a seperate one, solely for myGov. The myGov email was created about 8 years ago after an attempted hack (and frankly abysmal response from them.)

I spent time yesterday creating new email accounts, one for banks and one for bills.

It is something I've meant to do for a long time, but this latest breach as the push I needed. It only took an hour to identify the dozen most important accounts I have and update emails for them. I'll set a regular reminder for myself to change the passwords for email accounts and each service.

I'm keeping my much-breached primary email but relegating it to newsletter subscriptions and online shopping.

I do have better things to do with my time. Life admin is tedious at the best of times, and bloody annoying when it is forced on me.

 

[nancypants]

The MO of Scattered Spiders (and people think they were behind it) is to impersonate a software provider of IT person. As per Crowdstrike (SCATTERED SPIDER Escalates Attacks Across Industries | CrowdStrike )

If they give the appearance of competence they’ll never get anywhere in my organisation! Dead giveaway!!

 

[itchy feet]

I seem to have excelled at being pwned. This looks particularly unlucky.
View attachment 457167

I have one. From Sept 2019. Hmm. Makes me wonder about the accuracy of the site.