QANTAS Cyber Incident

[PERLHR]

So QF are really sorry...blah blah. My question is they have through one way or another leaked personal information of many. What recourse (action against QF) is open to the affected?

I also believe that QF would not know much about risk management and how to recognise (risk). Once again lessons to be learnt but always at the inconvenience and worry of the pax/member.

 

[offshore171]

prank call to a London Hospital where a Royal was admitted, impersonated someone and got put through by a (probably overworked, tired) staff member who had a lapse in concentration trying to do the right thing in their job. In that situation, tragically, the nurse ended up taking their own life, probably due to some of the media scrutiny and pitch-fork frenzy that ensued.

I remember that case and it was terribly sad. Wasn't it a couple of Australian shock jocks behind it?

In contrast this AFF thread, to its credit, doesn't appear to be going after the unfortunate sod who reportedly succumbed to the social engineering hack.

Rather I am seeing calls for board and CEO level accountability. Which is as it should be.

What on earth has the risk committee been doing for the last few years? What cyber maturity assessments were done, how often, and what controls were in place?

 

[lovestotravel]

So QF are really sorry...blah blah. My question is they have through one way or another leaked personal information of many. What recourse (action against QF) is open to the affected?

I also believe that QF would not know much about risk management and how to recognise (risk). Once again lessons to be learnt but always at the inconvenience and worry of the pax/member.

Nothing - There will be a class action that will go nowhere

 

[PERLHR]

Nothing - There will be a class action that will go nowhere

Yep..suspected as much.

 

[BobbyFlyer]

Nah I’d prefer an upgrade to first class on every flight for the next year thanks.


Interesting that is 6 million and Manila so those who’ve not been dealing with Manila are fine. I’d love to know how long that goes back time wise as well!

Can confirm my son who had no dealings whatsoever with any call center received confirmation his details had been compromised. All he did was redeem a reward flight a year.....6 million is a lot of customers and i would assume majority of QFF customers have been compromised...now lets wait for the class action lawsuits!

 

[suebale]

Important bit:

There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed.

I also think that Qantas Credit Cards were hacked too. both my son and I had activity from the same company (Mine 16 times in one night).

 

[SydneySwan]

How Qantas handle this from now on, will reflect on how much they care for their customers.

10,000 points for everyone ? Free credit monitoring ? Nothing...

Odds on it will be nothing.

 

[lovestotravel]

Both mine and my partners accounts got both emails
But not the kids - Unless kids accounts don't get the email ?

 

[RooFlyer]

I'm in the affected group too- and I'm already over it.

Good for you.

 

[lovestotravel]

Odds on it will be nothing.

Correct at best a full apology email in a month or so

 

[SydneySwan]

What on earth has the risk committee been doing for the last few years?

Collecting their fees.

 

[OATEK]

I think we're somewhat splitting hairs on this one. The act of sharing login credentials is not illegal in and of itself. However I would agree with your argument that unauthorised access and utilisation of PII is a definite no-no.


At the risk of sounding like I'm defending Qantas (which I assure you I'm not), that's a big assumption you're making.

If the reports are accurate about this have been a social engineering "hack", then such an incident could just as easily have occurred with an in-house call centre.

There may be key network architecture issues at play in this together with authentication differences. For someone to log in with the "hacked" credentials suggests a lack of MFA. Where you are in the corporate network could see different security layers applied. And Salesforce as a SaaS provider would be different to in-house users with all the SSO and other layers often quite variable between in-house to off-shore locations.

 

[oz_mark]

I hope that a Class Action against QANTAS eventuates from this. I want blood after my critical personal ID details have been stolen. There has to be meaningful accountability. Have now initiated serious anti financial fraud measures to protect myself.

While there is a good chance of that happening, I wouldn't expect it in a hurry. In the Medibank case there are still discussions over what is and isn't subject to legal privilege.

 

[DejaBrew]

A very warm welcome aboard AFF @suebale

Important bit: I also think that Qantas Credit Cards were hacked too. both my son and I had activity from the same company (Mine 16 times in one night).

That would be a massive development, however the credit cards are managed by separate financial institutions and we would have already been hearing about that from them (i.e. the risk is massive for them to not take immediate action once they're aware of a significant volume of customers having become compromised).

 

[lovestotravel]

There may be key network architecture issues at play in this together with authentication differences. For someone to log in with the "hacked" credentials suggests a lack of MFA. Where you are in the corporate network could see different security layers applied. And Salesforce as a SaaS provider would be different to in-house users with all the SSO and other layers often quite variable between in-house to off-shore locations.

Correct - Also depends on what QF have set up.

Our onshore and offshore authentication is basically the same, even when in-house in the office, the same...

Like with most things, it will be a wakeup call for QF, Virgin and all large companies again .... at our expense of course

 

[Balad2005]

Important bit:

Yes , me too I am one of the 6 million, I would assume most of QFF's have been hit.

 

[Hadun]

Finally received my first spam email that's addressed to my actual real name. Previous iterations were all solely addressed to the gibberish prefix of my gmail address.

We are reaching out from the Burnley Magistrates' Court regarding a recent settlement awarded to you following a data breach affecting your personal information. In response to this incident, authorities have taken decisive action, and compensation has been allocated for eligible recipients, including yourself, due to the extent of the data exposure.
This settlement is intended to cover any losses incurred, as well as potential impacts to your financial standing and credit report. We appreciate your attention to this matter.

Then again could simply be a coincidence and was generated long after one of the previous cyber incidents.

 

[DejaBrew]

There may be key network architecture issues at play in this together with authentication differences. For someone to log in with the "hacked" credentials suggests a lack of MFA. Where you are in the corporate network could see different security layers applied. And Salesforce as a SaaS provider would be different to in-house users with all the SSO and other layers often quite variable between in-house to off-shore locations.

Again, we're speculating on the method of use for these "hacked" credentials. Having MFA in place obviously doesn't prevent unauthorised use of login credentials if someone shares the relevant MFA code to facilitate a login as part of the socially-engineered hack. Unfortunately, the people element will be one of the weakest points in the security chain.

 

[Seat0B]

Interestingly the second email address of mine that they contacted has absolutely no connection with QF other than ticketing.

So calls the "ticketing not affected" narrative into question

 

[Ozchorlton]

Both my wife and I are part of the 6 million.
Yesterday we both got a fake 'parcel' text message from a +63 number (Philippines).
Is this a result of the hack?