QANTAS Cyber Incident

[MELso]

Never have I been so glad that my Qantas Frequent Flyer account has my date of birth incorrect!

 

[DejaBrew]

Did you forget Medibank, Latitude, MediSecure (lol), ClubsNSW, Service NSW, Telstra, etc?

Easier to name the companies that haven't suffered a breach

 

[OATEK]

"Strengthen system monitoring and detection" is most likely sends the system feed to another instance of SIEM somewhere else ...... But then no one actually monitors the SIEM anyway.

Oh, I think that is harsh! I am sure they monitor the storage requirements for the collected data! How much gets read, yes that is the question. Assume a growing involvement of AI in SIEM review, but where QF are up to is anybody's guess.

 

[Daver6]

It's often the internal systems that are the least protected, as application teams heavily rely on network-level security and ignore application-level security.

Thankfully that's the legacy way of thinking about it and more and more companies are trying to move towards ZTA. Problem is, most don't understand it or think ZTA is a single product.

Post automatically merged: Yesterday at 1:17 PM

Easier to name the companies that haven't suffered a breach

Let me compile that list quickly. Oh wait...it's more like an empty set.

Probably put companies into two lists. Those that are aware they've been breached and those that have been breached but they just don't know it.

Above comment is a tongue in cheek, but probably a little closer to the truth than we'd like.

 

[Pushka]

They certainly have in the past, last year I found out my elderly dad had his pin as DDMM of his birthday and forced him to change it to something not obvious.

I forgot my password earlier this year and tried to change it do year (not month) and it wouldn't allow it.

 

[Hadun]

Someone over on OzBargain wanted them to gift 50k points "as an apology". Good luck getting that!

Is that less or more likely than what someone else above hoped for that execs would be held responsible and their bonuses confiscated?

Yes.. 2FA...

I mean at least that alone seems to have been enough to (maybe) prevent a bunch of account fraud ala what happened to Virgin Velocity awhile back before they bothered adding it.

 

[oz_mark]

Easier to name the companies that haven't suffered a breach

There's two types of companies
1) Those that have had a data breach
2) Those that don't know they've had a data breach

 

[Pushka]

Received the first email about the problem:



Now wait and see for a second

Well, I hold an account for son who has never used it. Zero status. Zero points. He got this email. We, on the other hand, both active and WP have received - nothing.

 

[kangarooflyer88]

Will be interesting to see how the EU responds to this alleged breach and whether a fine will be levied.

 

[Aeryn]

Well, I hold an account for son who has never used it. Zero status. Zero points. He got this email. We, on the other hand, both active and WP have received - nothing.

I got the generic email which just says same thing as the website, what I want to know is specifically if my own details were in the 6M records breached or not.

 

[oz_mark]

I got the generic email which just says same thing as the website, what I want to know is specifically if my own details were in the 6k records breached or not.

That would be 6 million records, not 6k.

 

[DejaBrew]

We, on the other hand, both active and WP have received - nothing.

Give it time. For such a massive email send, it's pretty normal that it will be split into smaller batches that are sent over an extended period of time.

 

[Matty F]

leaking birth dates is a huge security violation, I'm surprised how their email attempts to downplay the severity

I wish more people were aware of how sensitive & important it is to guard your birth date

 

[Flyerwin]

Equifax ?

Experian via Commonwealth Bank.

 

[MELso]

leaking birth dates is a huge security violation, I'm surprised how their email attempts to downplay the severity

I wish more people were aware of how sensitive & important it is to guard your birth date

Indeed - given that they don't actually use the DOBs anymore, I don't know why (other than sheer inertia/laziness) they've been retained.

(I was recently reminded that my DOB was incorrect because it was pre-populated on a Qantas Health Insurance quote, but can't remember the last time they had any other use).

 

[Flyerwin]

I just got locked out of my MyGov account - I wonder if it's related to the hack. Hackers already trying to brute force accounts?

 

[Captain Halliday]

Well, I hold an account for son who has never used it. Zero status. Zero points. He got this email. We, on the other hand, both active and WP have received - nothing.

Mine went to spam because it came from an email address I’ve not seen Qantas use before.

Way to give customers peace of mind.

 

[gtrod]

Brute forcing 4 digit pins is not an option as accounts quickly get locked out but having FF# and Surname significantly lowers the bar.

You don't need to worry about brute forcing individual accounts when you have so many pairs of FF# and surname.

You get 3 chances to guess the right number. That means for each account they try to access they have a 1 in 3,333 chance of guessing correctly.

They have 6,000,000 accounts.

So just guessing 3 numbers for each of the 6mil accounts will be successful 1,800 times.

 

[MELso]

I just got locked out of my MyGov account - I wonder if it's related to the hack. Hackers already trying to brute force accounts?

View attachment 454780

They try and brute force MyGov all the time. The pro tip is to switch off your email address as a username (which they seem to have done), set up a passkey and turn off passwords.

 

[Aeryn]

Mine went to spam because it came from an email address I’ve not seen Qantas use before.

Way to give customers peace of mind.

Weird mine came from the usual Qantas Frequent Flyer address