QANTAS Cyber Incident

[DejaBrew]

Is this a result of the hack?

Probably a coincidence, but who knows? Your guess is as good as anyone else’s at this moment.

Edit: Just to add to my comment above, having your details breached/leaked is in no way a guarantee they you’ll be subject to or targeted by any more scams in the future than you already otherwise are today. The assumption is that none of these details are already out there in the wild (and we know for many that a considerable amount of this info was potentially already out there for scammers to use prior to the Qantas breach).

 

[equus]

The Call Centre can alter their ID verification process though, they were never asking for the PIN but now they'll need to ask for things that weren't in the dumped data.

What a terrific idea - lets give them access to more information not already leaked so that the next attack can get that as well.

Before anything like that can be done, the whole keeping of information in locations where it can be mass extracted by someone with presumably relatively low level credentials needs to be addressed. That will be a major change, and require a lot of work and testing - so unlikely to happen anytime soon.

 

[lovetravellingoz]

Both my wife and I are part of the 6 million.
Yesterday we both got a fake 'parcel' text message from a +63 number (Philippines).
Is this a result of the hack?

You lare lucky to have only started getting those yesterday. I have been getting fake "parcel/delivery" texts and emails for years!

 

[sudoer]

Probably a coincidence

I would upgrade this to "almost certainly a coincidence".

These groups don't go after airline loyalty databases just so they can can send poorly crafted post/courier phishing attempts. There's no need to hack anyone to send those, they just spam every possible Australian mobile number...

 

[Quickstatus]

What if it was the Hobart call centre that was hacked.
Would you be calling for everything to be offshored?

Maybe safer for a call centre to be in Australia than elsewhere. Why else does AFP have liaison offices in the Phillipines, Myanmar, Thailand and elsewhere. If an onshore/in-house call centre, QF would likely have more control over security practices.

Tell me - what should the board have done to avoid this?

Onshore/inhouse the call centres for starters.

It's often easy to be a part of a mob with pitch forks.

The problem is not the individual that caused the break in security but the organisation with potentially lax data security. It remains to be seen what actually happened and what can be done at the organisational level.

I suspect everyone has been impacted.

I have not got an email

 

[DejaBrew]

I have not got an email.

IMHO, I wouldn’t view that as a guarantee that you weren’t affected. More to play out yet…

 

[trippin_the_rift]

I would have expected that the Risk and Audit Committee of the Board would have signed off on the risk profile of the contracts they were signing into, given the catastrophic consequence/extreme risk level rating of a failure like this, on Qantas' reputation, and potentially exposure to a hefty fine - and a fine can't be claimed as a business expense, so it hits profit.

I suspect though, given the Board's behaviour in the past, it was something they didn't think, to think about.

Catastrophic is a plane crash with loss of life.
Basic data being shown to someone who isn't authorised is not.

You may also consider what a fine will achieve.
Will it prevent someone at a call centre from ever being socially engineered again? Unlikely.
Will it prevent the next big Australian co from having an incident? Unlikely.
Will it make you feel good that 'justice is served' ? Probably.

Therefore, what you are asking for ('a hefty fine'), seves only to satisfy your emotions.

Logically, QF should do whatever is reasonably possible to make people feel OK about what happened.
Maybe that is a fine, and maybe it's not - but pretending that a fine, and hitting the board with something will fix this, and prevent the next cyber incident, is straight up delusion.

 

[OZDUCK]

My wife has now received the second email and I still haven't. She has also had no contact with Manila but is a much, much newer account than mine - if that matters.

 

[kookaburra75]

Logically, QF should do whatever is reasonably possible to make people feel OK about what happened.
Maybe that is a fine, and maybe it's not - but pretending that a fine, and hitting the board with something will fix this, and prevent the next cyber incident, is straight up delusion.

I agree with you in terms of priorities, and what at the end of the day is really important.
However, Qantas is a company and subject to the same laws of the land as any other company, including mine. In any event, having the Board focus its attention on this matter should (I hope) result in a stronger oversight of cyber security across the company and its associated systems. In my line of work, we upgrade the cyber capabilities of organisations to get to a level of maturity they need - as they aren't as prepared as they should be, which usually comes about because funding isn't approved, as it's just "IT" and not a priority.

 

[Pushka]

Maybe safer for a call centre to be in Australia than elsewhere. Why else does AFP have liaison offices in the Phillipines, Myanmar, Thailand and elsewhere. If an onshore/in-house call centre, QF would likely have more control over security practices.


Onshore/inhouse the call centres for starters.


The problem is not the individual that caused the break in security but the organisation with potentially lax data security. It remains to be seen what actually happened and what can be done at the organisational level.



I have not got an email

neither have I. I don’t think it means anything more than a fluff in the system. I sometimes haven't received the DSC email but it still applies.

 

[kamchatsky]

Catastrophic is a plane crash with loss of life.
Basic data being shown to someone who isn't authorised is not.

You may also consider what a fine will achieve.
Will it prevent someone at a call centre from ever being socially engineered again? Unlikely.
Will it prevent the next big Australian co from having an incident? Unlikely.
Will it make you feel good that 'justice is served' ? Probably.

Therefore, what you are asking for ('a hefty fine'), seves only to satisfy your emotions.

Logically, QF should do whatever is reasonably possible to make people feel OK about what happened.
Maybe that is a fine, and maybe it's not - but pretending that a fine, and hitting the board with something will fix this, and prevent the next cyber incident, is straight up delusion.

I think unless Qantas would only be severely penalised if it breaches the SOCI Act. I am not sure if those leaked information would constitute breach of SOCI though.

 

[Princess Fiona]

So calls the "ticketing not affected" narrative into question

My FF number was of course in my bookings. But yep, that email not associated with FF communications or any other marketing etc from QF.

 

[serfty]

I received both emails; originating as described by @Princess Fiona .

The only thing I could really do is change my email address; fortunately I was planning on doing this anyway as I was preparing in the next few months to break the shackles of the ISP email I have been using for three decades.

 

[OATEK]

I received both emails; originating as described by @Princess Fiona .

The only thing I could really do is change my email address; fortunately I was planning on doing this anyway as I was preparing in the next few months to break the shackles of the ISP email I have been using for three decades.

Yes, this will also hasten my move away from the ISP of several decades, and given that is Optus I have probably been far to slow to start the process.

 

[outthere1000]

No problem, all taken back and then some on August 5th

Status points would be nice.

 

[Aeryn]

Basic data being shown to someone who isn't authorised is not.

This was more than just basic data; you cant request birth certificate details for a living person unless you are an official guardian so associating my DOB with the specific email address I use for travel is more than just basic.

You may also consider what a fine will achieve.

Pressure to markedly improve security to avoid another such fine; deterrent to other similar business continuing to not put adequate measures in place. But the proceeds of the fine should be split amongst the victims not line government coffers.

Will it prevent someone at a call centre from ever being socially engineered again? Unlikely.

We don't know that they were working from within call centre when this happened, lots of WFH happening in Manilla from my experience.

If Qantas insisted that system access was restricted to in-office/call centre property IP addresses on LAN or only allowed from company registered laptops over VPN then the 3rd party caller offsite wouldn't have been able to connect as not on whitelisted network or asset. When I have worked on sensitive data these type of restrictions have been in place in addition to MFA.

Will it prevent the next big Australian co from having an incident? Unlikely.

It could if it scares them into being more proactive.

Will it make you feel good that 'justice is served' ? Probably.

Only partially, severing all ties with that offshore company and bringing back onshore and in house would make me much happier. Plus some useful compensation.

 

[justinbrett]

Maybe safer for a call centre to be in Australia than elsewhere. Why else does AFP have liaison offices in the Phillipines, Myanmar, Thailand and elsewhere. If an onshore/in-house call centre, QF would likely have more control over security practices.

I really don’t think that’s true.

This wasn’t a technical breach (hack), it was done with human error/violation. That could just as easily happen with a QF employee.

In fact I’d argue an airline operating a small call centre would have less robust processes than a company who specialises in managing call centres such as the QF MNL example.

Any security training covers the “trusted insider” as was the case here. It’s a risk you can never completely eliminate. It was told to us that they were deceived but there’s no guarantee they weren’t paid off.

 

[LukeO9]

Qantas reporting a cyber incident at a call centre.

QANTAS news Room

"Qantas detected unusual activity ..... and took immediate action."
LOL. Such swift action resulted in only 6 million affected.

 

[Aeryn]

In fact I’d argue an airline operating a small call centre would have less robust processes than a company who specialises in managing call centres such as the QF MNL example.

Depends. My current employer has a small internal call centre of 10 agents and security much tighter than when i was working to outsource a larger call centre to Philippines in a previous role.

Some of the big call centre providers use the same staff across multiple customers i.e. they may be working on an airline this shift, a telco next shift and shopping site the next. This is why training doesnt always stick and there is an over reliance on scripts.

I had an Indian BA working for me in last role, who was awesome and had the craziest stories about working in call centres whilst studying at uni. This made her super diligent about how to engineer processes for offshore call centres including ensuring no difficult/complex cases were routed there.

Any security training covers the “trusted insider” as was the case here. It’s a risk you can never completely eliminate. It was told to us that they were deceived but there’s no guarantee they weren’t paid off.

Yes i also wondered about a bribe to provide the info.

Noting there are technical controls that can be put in place that mean connecting to system off premises or off asset isn't possible; Qantas and other companies using outsourced providers need to insist on this.

 

[justinbrett]

Noting there are technical controls that can be put in place that mean connecting to system off premises or off asset isn't possible; Qantas and other companies using outsourced providers need to insist on this.

But I think this was the saving grace, it was not the QF system that was accessed but the call centres separate system. At least credit cards / passwords etc weren’t included. It would be a much bigger world of hurt if they were.