QANTAS Cyber Incident

[elanshin]

So this is a plus of strengthening security; unfortunately as far as Im aware all airlines require passport details to be associated with international tickets. If you think about it only needing a PNR and Surname to access a booking is poor security, especially since the APIS has your passport details.

Something something GDS, something something ancient systems. Too hard to change for every airline.

That seems to be the general response about all sorts of stuff related to airline IT.

 

[equus]

And company who has any level of Government as a customer is not allowed to store any of their data offshore with a couple of exemptions if its in 5 eyes partner country

That is not true. There are a lot of checks and balances, but it is not a blanket ban that applies to "all data" and "any level of Government".

 

[Aeryn]

That is not true. There are a lot of checks and balances, but it is not a blanket ban that applies to "all data" and "any level of Government".

Hence my qualifier about some exemptions.

 

[bPeteb]

Could be completely unrelated but had two calls within minutes from unknown Melbourne numbers this afternoon. I answered the first and just got silence and ignored the second. I get very few calls on my mobile.

 

[SYD]

I notice the Qantas website has been updated with the following:

• Next week, we will be in a position to update impacted customers on the types of their personal data that was contained in the system. This will confirm specific data fields for each individual, which will vary from customer to customer.

I suspect this means more data items than previously mentioned might have been exposed. Is it possible if PNRs have been exposed that a booking record could be accessed using PNR + Surname? If so then people who have entered their passport details into Advance Passenger Information will therefore have this exposed too? Is this possible?

Nothing to suggest that so far.

What’s been reported is advising what specific info relating to individuals was hacked. Apparently not a one size fits all.

 

[kevrosmith]

It’s totally time for the government to intervene in excessive data retention - both in terms of the data collected and also how long it’s retained.

The challenge many IT departments and businesses face in this context is what the definition of “retention” is. While it might be easy to delete a value in a field in a database, what about that value in that field in that database from the back up from last night, and the night before, and the night before that, and the end of month backup and end of year backup kept for the last 20 years. Does someone have to go into those backups and remove the values from there? It gets complicated. I believe the European GDPR standards allude to this sort of rigour and many companies are testing the reality of what it means for their data and backups held.

 

[kookaburra75]

Could be completely unrelated but had two calls within minutes from unknown Melbourne numbers this afternoon. I answered the first and just got silence and ignored the second. I get very few calls on my mobile.

I've been getting those sorts of calls for the past two years, so I don't think it's related to the Qantas faux pas. When I get a call where I'm not completely sure who it is, I just answer "hello" and not say my name. That's to stop calls that are fishing to confirm my mobile number is actually mine, which gives a greater value in the bad guys databases.