QANTAS Cyber Incident

justinbrett · 2025-07-03T09:08:41+1000

I’m retracting my omission. Just received the email at 9am.

drron · 2025-07-03T09:11:15+1000

Mrsdrron got the second email but I haven't so far.

Traveller_Dude · 2025-07-03T09:11:28+1000

RSD said:
If anyone hasn't received a notification from Qantas yet could they please post here to help us get an idea of how widespread the hack is?

Not yet

BriarFlyer · 2025-07-03T09:13:30+1000

Nothing for me or partner, although we've not received the initial email either (checked junk, too.) Yet our non-active, never-contacted-any-call-centre bronze son did receive both notifications. I guess ours are in a holding pattern and will land eventually.

AussieTim · 2025-07-03T09:19:44+1000

I got the second email - no one else in the household. LTS, almost LTG, only travel every 1-2 years now. Last phoned QF in 2018.

My last flight was April 2024. But I did a redemption for my wife last month.

Jurahn · 2025-07-03T09:26:04+1000

trippin_the_rift said:
6M.....represents anyone who has had new bag tags issued?

I’ve never had bag tags issued from QF. Only ever been a lowly Bronze, and same as you, no points transfers in, no wine, nothing.

Post automatically merged: Today at 9:27 AM

Comoman said:
I have not contacted Manila or any call centre for at least 8 years I would think.

Same here.

VHOEJ · 2025-07-03T09:32:09+1000

Yeah, everyone who hasn't got it, check emails again. They are still coming through this morning......

SydneySwan · 2025-07-03T09:34:36+1000

We have received the emails in reverse order of status level;

Bronze son first
Silver me second
Gold wife last

lovestotravel · 2025-07-03T09:36:51+1000

Pushka said:
And be just the luck to get rerouted to the Manila call centre.

So the story this morning is that an operator in the Manila call centre allowed someone to access the data systems via a phone call. Sounds a lot of authority to be able to do that. Shame they can't use that authority to sort out issues when we call them.

Yes that is correct, from what I know, someone thought it was smart to give out username/passwords to a system to a caller..... Once that is given you can run/extract reports etc depending on the access level of the operator.

Post automatically merged: Today at 9:37 AM

AussieTim said:
I got the second email - no one else in the household. LTS, almost LTG, only travel every 1-2 years now. Last phoned QF in 2018.

My last flight was April 2024. But I did a redemption for my wife last month.

Likewise for me....

lovestotravel · 2025-07-03T09:41:05+1000

As a data point, Optus took about 4 days to offer free credit monitoring for 12 months.

But I will note that drivers licence details have not been leaked by Qantas, so the risk is quite a bit lower..

How Qantas handle this from now on, will reflect on how much they care for their customers.

10,000 points for everyone ? Free credit monitoring ? Nothing...

Duffa · 2025-07-03T09:46:16+1000

Everyone of us (4 pax) received both emails so far.
Membership numbers are consecutive - well, within 20 of each other to be precise. We all joined at the same time 25 years ago.

CMA222 · 2025-07-03T09:46:59+1000

lovestotravel said:
.......How Qantas handle this from now on, will reflect on how much they care for their customers.

Qantas will be working overtime to protect................Qantas.

BriarFlyer · 2025-07-03T09:48:26+1000

BriarFlyer said:
Nothing for me or partner, although we've not received the initial email either (checked junk, too.) Yet our non-active, never-contacted-any-call-centre bronze son did receive both notifications. I guess ours are in a holding pattern and will land eventually.

And my notification has arrived.

Seat0B · 2025-07-03T09:56:50+1000

Am I missing the point here? Many people saying that they use Authenticator/trust QF would reimburse any hacked or stolen points etc, which I get. But isn’t there a bigger risk for identity theft or other financial mischief away from QF if hackers have your name, address, email and DOB - which info is commonly used to authenticate transactions to reset passwords, port phone numbers (OMG the trouble if someone ports your phone number), etc etc.

muppet · 2025-07-03T10:00:56+1000

I always love businesses saying “importantly credit card details were not leaked” …. ummm I can get a new credit card - kinda stuck with the birthdate that you gave to everyone.

Also, IMHO Optus was a bit different, Optus wasn’t hacked - it left our details completely unsecured from memory. So I think its fair Optus faces harsher criticism than QF.

SeatBackForward · 2025-07-03T10:03:20+1000

muppet said:
Optus wasn’t hacked

I think we'll see that neither was Qantas. Someone let them in.

Townsend · 2025-07-03T10:04:29+1000

I have also received the second email. I think the last time I spoke to Manila was at least three years ago….I remember the chickens well!

Seat0B · 2025-07-03T10:06:23+1000

Seat0B said:
Am I missing the point here? Many people saying that they use Authenticator/trust QF would reimburse any hacked or stolen points etc, which I get. But isn’t there a bigger risk for identity theft or other financial mischief away from QF if hackers have your name, address, email and DOB - which info is commonly used to authenticate transactions to reset passwords, port phone numbers (OMG the trouble if someone ports your phone number), etc etc.

Now I’ve read to the end of the thread, I’m “reassured” that others see the same issues that I do. So not catastrophising, this is actually pretty bad.

kevrosmith · 2025-07-03T10:15:59+1000

“Hacked” or “let in”, I think that is unnecessarily splitting hairs on terms now… malicious access to unauthorised systems gained through malicious means with malicious intent. I’d still call that “hacked”.

From what I understand, the [not Optus, possibly Medibank, I don’t know exactly] event occurred when a contractor saved passwords to their favourite browser password vault and then logged into their account on their favourite browser on their personal PC and the password vault sync’ed and then their personal computer was compromised and someone was easily able to get corporate security details.

If the general public did some general research on what is easily possible to “hack” your toes would curl and you would never turn your PC or electronic device on again. My previous job was at a financial second-tier firm and their mantra is “not if, but when we get hacked” and they have a whole cyber security department monitoring 24/7. Many of the top consultancy firms also outsource work to Philippines et al so a lot of corporate data is being worked on overseas these days.

dairyfloss · 2025-07-03T10:20:41+1000

Seat0B said:
Am I missing the point here? Many people saying that they use Authenticator/trust QF would reimburse any hacked or stolen points etc, which I get. But isn’t there a bigger risk for identity theft or other financial mischief away from QF if hackers have your name, address, email and DOB - which info is commonly used to authenticate transactions to reset passwords, port phone numbers (OMG the trouble if someone ports your phone number), etc etc.

Thankfully, in Australia, mobile numbers are not that easily ported out; at least not without you agreeing to it verbally at the port requested number, or via SMS code verification at that number. The ACMA has rules around how this occurs for Australian numbers. They (the telcos) can also use actual documents or government online verification processes in the event the device is lost or stolen, but none of what has been potentially leaked here is really enough to put the port at risk.

QANTAS Cyber Incident

Enthusiast

Veteran Member

Junior Member

Established Member

Intern

Established Member

Active Member

Established Member

Senior Member

Senior Member

Established Member

Active Member

Established Member

Established Member

Established Member

Senior Member

Member

Established Member

Established Member

Established Member

Become an AFF member!

AFF forum abbreviations