QANTAS Cyber Incident

[GrahamBRI]

Still waiting on one more third email (not in spam)…….
Thinking why this might be delayed, I had a look at the third email for other family members, I note in these emails that Qantas says:

“Our customer records are based on unique email addresses, so if you have multiple email addresses registered”

Well, if this is true, this is an issue, if it is as written (records are based on unique email addresses) - I have one email address used on 2 different family member accounts. Records should be based on unique frequent flyer numbers, not email addresses?

Interesting to hear from those still waiting if they have a similar setup - one email address, multiple accounts?

 

[downgraded]

hasn't called Qantas in ages but I spoke to Qantas Cash 30 June ? Manila and Qantas FF on 12 June

Haven't booked a QF flight nor called a QF call centre in over 6 years but I got the email.

 

[Andy72]

Still waiting on one more third email (not in spam)…….
Thinking why this might be delayed, I had a look at the third email for other family members, I note in these emails that Qantas says:

“Our customer records are based on unique email addresses, so if you have multiple email addresses registered”

Well, if this is true, this is an issue, if it is as written (records are based on unique email addresses) - I have one email address used on 2 different family member accounts. Records should be based on unique frequent flyer numbers, not email addresses?

Interesting to hear from those still waiting if they have a similar setup - one email address, multiple accounts?

That’s me. No email

 

[offshore171]

Thanks. The article made the point that I and some others have been making. Its not the threat to our Qantas accounts necessarily, but the incremental (and perhaps updating) compilation of data thats 'out there' to be a greater menace to our other on-line log-ins.

Precisely. This seems to be the aspect that many have missed. The dataset can be used to perform enrichment against other data. Fairly easy with a readily available tool like Alteryx or similar.

From 6 million records, even if the just 1% of these can be enriched against other datasets to the level that it is usable to attack those customers, there is a big problem.

 

[GDSman]

2nd email received this arvo

Our cyber security teams have undertaken an investigation and we can confirm that the following types of your data held on the compromised system was accessed:

Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

Yep - got the email late yesterday with this same set. Wife and son only had Name, email, FF number as Silver (I'm LTG) - wonder if the status/length of membership is a factor. First time I've had that much personal data lost and I admit to feeling pretty pissed off with QF.

 

[oz_mark]

Still waiting on one more third email (not in spam)…….
Thinking why this might be delayed, I had a look at the third email for other family members, I note in these emails that Qantas says:

“Our customer records are based on unique email addresses, so if you have multiple email addresses registered”

Well, if this is true, this is an issue, if it is as written (records are based on unique email addresses) - I have one email address used on 2 different family member accounts. Records should be based on unique frequent flyer numbers, not email addresses?

Interesting to hear from those still waiting if they have a similar setup - one email address, multiple accounts?

It seems to be because it is a more general customer system, not specifically a frequent flyer system.

 

[justinbrett]

Still waiting on one more third email (not in spam)…….
Thinking why this might be delayed, I had a look at the third email for other family members, I note in these emails that Qantas says:

“Our customer records are based on unique email addresses, so if you have multiple email addresses registered”

Well, if this is true, this is an issue, if it is as written (records are based on unique email addresses) - I have one email address used on 2 different family member accounts. Records should be based on unique frequent flyer numbers, not email addresses?

Interesting to hear from those still waiting if they have a similar setup - one email address, multiple accounts?

It’s because if you send an email to the ff mail address it automatically raises a ticket and assigns to your profile if it’s a known email address.

This has been the case for 20+ years. If you send and email from an address you use for multiple accounts it doesn’t know which person to raise the ticket against, so it just picks one.

 

[ChrisW.]

Am I the only one that also had the address leaked so far?

Our analysis has found that the following types of your data held on the compromised system was accessed:
Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

 

[DejaBrew]

Am I the only one that also had the address leaked so far?

Our analysis has found that the following types of your data held on the compromised system was accessed:
Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

No, a couple have already reported they had their address(es) leaked.

 

[kpro]

Am I the only one that also had the address leaked so far?

Same level of information leaked as me, and emailed only received this morning as opposed to family member who received it 2 days ago.

If I were to guess, the greater information leak might be those people who had called up and reached the offshore center?

 

[zsw]

Am I the only one that also had the address leaked so far?

Our analysis has found that the following types of your data held on the compromised system was accessed:
Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

I'm in for the address party too...just got the email. Personally most unhappy about Address as often the combination of Date of Birth, Full Name and Address is used as validation when calling a range of services. 2 of these are not changeable and the 3rd one is very hard to change.

Correct that this is often paired with a MFA but nonetheless to have that much information revealed is very frustrating and leaves a single layer of protection for validation. I know some people on here have said that any service that doesn't use MFA is something you shouldn't use but that means we shouldn't have been using Qantas or Virgin for a very long time until they recently put in MFA.

Well done to the posters who correctly predicted that Qantas would send the emails in severity of information leaked. Very convenient for it to take them 48 hours to get to the worst impacted.

As to why so much of my information was leaked I can only assume it was the 20+ phone calls and 10+ emails I had to go through in an effort to get a COVID refund back. Qantas is always the gift that keeps on giving...

 

[SYD]

Am I the only one that also had the address leaked so far?

Our analysis has found that the following types of your data held on the compromised system was accessed:
Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

Nope. My Home address (I assume) linked to my QBR account made the cut. Fortunately not DoB.

But Optus leaked all that already…

 

[Strikes]

Just got the email then - I'm surprised it didn't include my eye colour and favourite movie...

• Address
• Name
• Email address
• Qantas Frequent Flyer Number
• Tier
• Points balance
• Status Credits
• DOB
• Phone Number
• Gender
• Meal Preference

 

[RB001]

Another one for Club Address.

Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number

Minimal contact - most recently a successful ORC claim last year, otherwise 1 or 2 calls per year (2020/2021/2022/2023 - not bothered since then) chasing points refund from COVID-era shenanigans. (Still unresolved)

 

[nancypants]

Just got the email then - I'm surprised it didn't include my eye colour and favourite movie...

• Address
• Name
• Email address
• Qantas Frequent Flyer Number
• Tier
• Points balance
• Status Credits
• DOB
• Phone Number
• Gender
• Meal Preference

I think you win bingo!

I’ve never had a meal preference so they wouldn’t have been able to leak that

Also I don’t know which address they hold for me- likely either an old one or possibly a PO box

 

[Aeryn]

Finally got the email in last few minutes:



Luckily no DOB for me BUT i would like to know which specific addresses have been leaked - was it a home address, address I had luggage delivered to when AA lost it (that was a friends home) or my PO box or former employers address for when they used to book flights for me?

For things that can change like Address, email address and phone number Qantas should tell us what the value leaked was; if its already out of date we need be less worried.

And Id like to know if its full name or just first name, middle initial, last name (my first and last are very common, but my middle name is very rare). And I have made sure to amend my middle initial to full middle name on international bookings no there is no issue matching to passport in places where they are super fussy.

 

[Be.au]

Everything but my meal preference!

Our analysis has found that the following types of your data held on the compromised system was accessed:
Address
Name
Email address
Qantas Frequent Flyer number
Tier
Points balance
Status Credits
Date of birth
Phone number
Gender

 

[Dmac59]

I just received the confirmation email that my full suite of information was leaked.

Our analysis has found that the following types of your data held on the compromised system was accessed:

• Address
• Name
• Email address
• Qantas Frequent Flyer number
• Tier
• Points balance
• Status Credits
• Date of birth
• Phone number

 

[offshore171]

Damn they are in full drip-feed mode now.

They soften you up with announcements making it sound not so bad.

Now a week later we are seeing a bunch of full bingo cards.

 

[SYD]

Address Club x2…

Just got the email relating to my primary FF account with the “Platinum” FF banner on the email (previous advice email for QBR account was generic)…

Address
Name (I assume full name including full middle name)
Email address
QFF#
Tier
Points Balance (another excuse to burn some before the deval)
SCs
DoB
Phone number

SYD+1 the same, but also scored “Gender”…