QANTAS Cyber Incident

[Laptop Jockey]

Has anyone actually registered for the class action

Yes (ironically required providing most of the data that was stolen from Qantas in the hack )

I don't expect any money, but we need companies to be accountable, especially for mandated over-collection of personal data for the express purpose of monetization.
Qantas' poor cyber security practises have been known for years in the industry, the biggest surprise is it took this long.
Between Qantas, Optus and NIB there probably aren't many working-age Australians that haven't been impacted by just these three incidents alone.

 

[SYD]

Yes (ironically required providing most of the data that was stolen from Qantas in the hack )

But you did anyway?

I don't expect any money, but we need companies to be accountable, especially for mandated over-collection of personal data for the express purpose of monetization.

Unless someone can prove loss directly from the hack, no one will see a cent other than the lawyers taking in the CA….

Qantas' poor cyber security practises have been known for years in the industry, the biggest surprise is it took this long.

The hackers actually used weakness in the Salesforce client - if anyone should be taking out class actions, it ought to be against Salesforce (and the 40 odd companies hacked the same way).

Between Qantas, Optus and NIB there probably aren't many working-age Australians that haven't been impacted by just these three incidents alone.

Yep. Unfortunately more to come….

 

[elanshin]

I think one thing people keep forgetting is that regardless of company or system, the weakest point is always us humans and if we are to look at history, we can see that there aren't very many things that can't be cracked open through the people.

As AI usage and sophistication increases, we're just going to see more and more breeches. It's completely possible to replicate someones voice and mannerisms with very short voice samples within seconds these days. I wouldn't be surprised if people could make AI video calls shortly too.

 

[Dvg]

Thanks. I didn't connect those dots. I think such action is shameful. Publishing actual personal data - of course. But 'banning' publication of information about whether that data has been used, is treating us with contempt.

How unusual of Qantas to treat us with contempt…….

 

[odysseus]

The hackers actually used weakness in the Salesforce client - if anyone should be taking out class actions, it ought to be against Salesforce (and the 40 odd companies hacked the same way).

It wasn't weakness in that software - as indeed, not all customers were 'hacked'.

They just utilised that software, in the same way scammers of old used to target if you had a Telstra account, or called you about "your Windows" or Westpac, or Australia Post and so on. If you then give them the keys to those accounts, they will then exploit what you gave them, in a similar way to what happened here.

 

[SYD]

It wasn't weakness in that software - as indeed, not all customers were 'hacked'.

They just utilised that software, in the same way scammers of old used to target if you had a Telstra account, or called you about "your Windows" or Westpac, or Australia Post and so on. If you then give them the keys to those accounts, they will then exploit what you gave them, in a similar way to what happened here.

Exactly. They knew how to get those keys to a common platform….

 

[RooFlyer]

Exactly. They knew how to get those keys to a common platform….

Wasn't it by asking the local operative (?call centre?) for access or the means to access, despite the local team being warned the day before, or so, that this may happen as it was happening to other companies, including airlines.

 

[Daver6]

I think one thing people keep forgetting is that regardless of company or system, the weakest point is always us humans and if we are to look at history, we can see that there aren't very many things that can't be cracked open through the people.

I'd agree.

Companies though should have systems in place so that when a breech does occur, the blast radius is minimised.

 

[elanshin]

Exactly. They knew how to get those keys to a common platform….

Wasn't it by asking the local operative (?call centre?) for access or the means to access, despite the local team being warned the day before, or so, that this may happen as it was happening to other companies, including airlines.

As I understand it, it wasn't a technical vulnerability as it was using legitimate functionalities of salesforce platform in the manner that it was supposed to be used. The attacker posed as coporate IT asking the unsuspecting target to log onto saleforce and put in a 8 digit code to authorise a connected app which the attacker had control over. Once they put that code in, it more or less gave them API-level access to the data.

In some sense its like the old "download a trojan" to your computer but in a much more sophisticated way. Some of the takeaways so far is that third party apps connected to saleforce should not be easily loaded and need to be white label approved first but these are settings and policies rather than vulnerabilities of a platform.

Also rumors that the hacker group are hinting theyve got data from Indian and Brazilian governments too.

 

[JustSlash]

I wouldn't be surprised if people could make AI video calls shortly too.

I’m afraid that already happened last year…

https://edition.cnn.com/2024/02/04/asia/deepfake-cfo-scam-hong-kong-intl-hnk