QANTAS Cyber Incident

[moa999]

Is it time for QF to reconsider onshoring their call centres?

What if it was the Hobart call centre that was hacked.
Would you be calling for everything to be offshored?

 

[moa999]

I also think that many don't understand just how relentless these attacks and attempts are. They may have repelled 1,000 or more attacks, but then one slips through...

Absolutely agreed.
But that's also where other protections should come into place like encrypting sensitive data, preventing large transfers etc

 

[SeatBackForward]

What if it was the Hobart call centre that was hacked.
Would you be calling for everything to be offshored?

This is a perfectly valid question. I think the outsourcing is the issue, not necessarily the location of the outsourced provider themselves.

 

[Catweazle]

For anyone who thinks they haven't yet received it, check your junk inbox as silly as that may sound...

 

[Aeryn]

What if it was the Hobart call centre that was hacked.
Would you be calling for everything to be offshored?

No but the means to take action is greater in Australia.

If it indeed was a hapless Manilla call center employee that gave his/her credentials to a caller giving them the ability to farm the data do you think they will be prosecuted? After all it is a crime to share your user credentials. Will the call centre operators also be fined or sanctioned?

Probably not, as it very hard to enforce Australian laws in other jurisdictions. This is why Aussie banks, telcos and government departments are not permitted to store customers PII off shore.

Qantas management will also flag this as a call centre operator failure and probably move the contract elsewhere whilst avoiding a lot of the blame, something they couldnt do if it was their own onshore operated call centre.

 

[lovestotravel]

Sure, but I'm bored and thought I'd see what happened.

I called the Qantas (offshore) number again and got a totally different response! Given ref # etc. Still not very helpful, but demonstrates what a cough show Qantas is in.

Yes understood - Thanks for taking one for the team

Yeah they set up these numbers to make it sound like they are doing something.

A reference number that will go no-where, and a handball to IDCare is as much as you will get

Optus were even closing off complaints about their data breach with no compensation and the standard copy and paste response... which is expected given the volume of complaints.. They did offer IDCare and free data as well eventually...

But yeah Qantas will do pretty much nothing else from this to be honest. The PR team will do another few media releases and then BAU

Post automatically merged: Today at 12:40 PM

What if it was the Hobart call centre that was hacked.
Would you be calling for everything to be offshored?

Even if done here, the employee would lose their job and that would be about it.

 

[DejaBrew]

After all it is a crime to share your user credentials.

Is it though? Clearly it's unethical. Clearly it would be against many companies' internal policies, and in many instances, it would also violate platform licensing agreements and T&Cs. But illegal? That might be drawing a long bow.

 

[OZDUCK]

I received the first message in my Junk mail box but have not received the second one. I have never contacted Qantas by phone or email.

 

[Seat0B]

No way I'm ever saying that to someone who's called me unsolicited.

Right, and then they get so snippy with you when you refuse! My gym tries this on a semi-regular basis. I always say to them "it's the name, email and DOB in your records, and the phone no you called me on. And BTW, you called me out of the blue and I have no idea who I am speaking to. You say you're my gym, but how do I know you're not a hacker? Perhaps you could give me your name, address, phone no and dob so I can verify who I am talking with!" Funnily enough, they always refuse to provide those details to a random stranger.

 

[Aeryn]

Is it though? Clearly it's unethical. Clearly it would be against many companies' internal policies, and in many instances, it would also violate platform licensing agreements and T&Cs. But illegal? That might be drawing a long bow.

No dont think so. As its the means to giving that unauthorized person access to PII. Under the privacy act it is illegal to collect or share or use PII for purposes other than for the reason it was collected for.

When I consented to Qantas collecting my PII in order to book tickets or be eligible collect/use FF points, I did not consent to their employees giving access to that data to people who do not need that information to facilitate my travel of FF requests.

 

[randompunter]

Damn def got Manila when booking an Emirates award TNR - SEZ a few months ago. Only time I've called QF in a few years. Now got the you've been hacked email.

 

[trippin_the_rift]

So Qantas I'm waiting for 12 months free credit monitoring please....

free credit monitoring might be the biggest scam in all of this...

 

[kookaburra75]

And me too - I have received the two emails, personally signed by the CEO <sarcasm/>.

But will anything real actually happen? As others have discussed, probably no. And certainly, whoever set up the offshoring contracts didn't think of information security as being a mandatory requirement - and they should of. Maybe another fine might get the Board of Qantas attention Fines for massive data breaches to increase to at least $50 million after Optus and Medibank hacks

 

[trippin_the_rift]

And me too - I have received the two emails, personally signed by the CEO <sarcasm/>.

But will anything real actually happen? As others have discussed, probably no. And certainly, whoever set up the offshoring contracts didn't think of information security as being a mandatory requirement - and they should of. Maybe another fine might get the Board of Qantas attention Fines for massive data breaches to increase to at least $50 million after Optus and Medibank hacks

Tell me - what should the board have done to avoid this?

I've never met an airline that didn't have fking insanely strict protocols, policies, procedures, ongoing training, MDM, PC management.
QF call center, mobile phones are not even allowed on the floor. QF also has a culture of safety (more so than other airlines), and this flows over into digital safety and conservative approaches to everything they do.

The take that nobody wants to consider is that your information, mine, and everyone elses has been long exposed by other companies. Look at how many times Facebook/Meta, Linkedin, Microsoft, Marriott, Medibank, Optus and other major companies have had our data leaked. These kinds of leaks happen so frequently in USA that they never make headlines anymore. Your data, and mine - has been available for a long time.

 

[Aeryn]

Tell me - what should the board have done to avoid this?

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

In past roles Ive worked with offshore partners that have the security in place such as not allowing personal mobiles into the lab or call centres, but this clearly isnt the case with MindPeral the call centre operator in Manilla.

Many of the workers answering Qantas calls appear to be WFH, Ive heard roosters crowing, dogs barking and kids giggling/crying, tv/radio all in the background when calls have been answered by Manilla.

Just because there have been other leaks doesn't mean there shouldn't be consequences for this one, they haven't learnt anything from the failings of other companies.

And no this exact combination of data has not been leaked for me before in past breaches. I dont use real DOB on social media, and use different emails for websites than I do for financial transactions.

 

[SeatBackForward]

Here's what the penalty should be - the Board Members personal details be made publicly available. Full Name, DOB, residential address, Account numbers etc.

Yeah yeah I'm living in lala land.

 

[trippin_the_rift]

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

In past roles Ive worked with offshore partners that have the security in place such as not allowing personal mobiles into the lab or call centres, but this clearly isnt the case with MindPeral in Manilla.

Many of the workers answering Qantas calls appear to be WFH, Ive heard roosters crowing, dogs barking and kids giggling/crying, tv/radio all in the background when calls have been answered by Manilla.

Just because there have been other leaks doesn't mean there shouldn't be consequences for this one, they haven't learnt anything from other failings.

And no this exact combination of data has not been leaked for me before in past breaches. I dont use real DOB on social media, and use different emails for websites than I do for financial transactions.

Qantas has more people with CEO titles than any other airline in the world.
Then there's the layer underneath those CEO's with commercial titles.
Then operational ones....

The org is extraordinarily top-heavy compared to other airlines, and thus, many targets to go after before the board.
Unless the CISO reports direct to the board (not uncommon), then things get interesting!

There is a point where we must agree that engaging with any organisation comes with a degree of risk.
All that can be done is put as many measures in place as possible, beyond regulatory requirements, continuously monitor, train etc.
Same deal with aircraft safety. Nothing is 100%.

I'm in the affected group too- and I'm already over it.

 

[DejaBrew]

No dont think so. As its the means to giving that unauthorized person access to PII. Under the privacy act it is illegal to collect or share or use PII for purposes other than for the reason it was collected for.

I think we're somewhat splitting hairs on this one. The act of sharing login credentials is not illegal in and of itself. However I would agree with your argument that unauthorised access and utilisation of PII is a definite no-no.

Not outsourced call center offshore to company that doesn't uphold the same security standards and controls as the onshore one.

At the risk of sounding like I'm defending Qantas (which I assure you I'm not), that's a big assumption you're making.

If the reports are accurate about this have been a social engineering "hack", then such an incident could just as easily have occurred with an in-house call centre.

 

[kevrosmith]

It's often easy to be a part of a mob with pitch forks. In situations like these, I try to remember there was an individual that made a mistake and how it might feel for them. I recall that situation where the radio station made a prank call to a London Hospital where a Royal was admitted, impersonated someone and got put through by a (probably overworked, tired) staff member who had a lapse in concentration trying to do the right thing in their job. In that situation, tragically, the nurse ended up taking their own life, probably due to some of the media scrutiny and pitch-fork frenzy that ensued.

 

[Oceanic]

I hope that a Class Action against QANTAS eventuates from this. I want blood after my critical personal ID details have been stolen. There has to be meaningful accountability. Have now initiated serious anti financial fraud measures to protect myself.