QANTAS Cyber Incident

[justinbrett]

I suspect that there has been a lot about what happened that has not been disclosed as yet (and may not be).

It is being represented that a scammer has tricked a call centre agent into giving up their credentials which allowed the scammer to access the system and access the data. Unless security is ridiculously lax, not front line call centre agent credentials would have the necessary access to allow mass download of data like that. They would have screen based data to a limited amount, the ability to search etc., but not to mass extract.

If it is an administrator that has been scammed, then it is not someone who would be expected to be taking calls, so a quite different scenario - and someone who should be much more aware of the implications of handing over credentials. These sorts of credentials should also have more Multi-Factor security and other restrictions applied as well.

I think that the details released are probably factual, but carefully crafted so that they lead to assumptions about the actual scenario which are not correct. The possibility of it not being a person being scammed, but rather financially induced may be more likely than other possibilities.

I think being the main FF service centre there is the possibility the person was running reports and thus would have quite extensive permissions. I’m assuming their role goes beyond just taking calls and could extend to things like helping HQ with lists of members due to be downgraded and need an email with an offer to extend, for example.

I know in the ADF, who use a similar commercially supplied system (I think SAP?), I was always surprised how administration personnel of a much lower rank to me could run ADF wide reports. Sure they’d probably get flagged but they could run the report in the first place - exactly what happened at QF (the person got caught).

 

[Aeryn]

not front line call centre agent credentials would have the necessary access to allow mass download of data like that. They would have screen based data to a limited amount, the ability to search etc., but not to mass extract.

That is easily overcome. Write a bot to do a series of queries and then screen scrape to write each result back to a database. All they need to start is 1 FF# and then keep incrementing the number by one and see whom else they pick up. A bot can do this much faster than a human. Hence why they may have picked this up as 1 staff member do a lot ore queries than humanly possible in one or more sessions.

And yes a supervisor can easily run reports of all people who registered for a particular campaign or have a certain status etc.

 

[RooFlyer]

Don't think this has been noted yet. AFR has a detailed story today (paywalled).

Qantas says it moved quickly to safeguard its systems before hack

A few snippets

A Qantas spokesman said the company alerted its IT workers on Friday and call centres last Saturday, warning them that Hawaiian Airlines and WestJet systems were hacked and to be on the lookout for any suspicious activity.

An alert sent to Qantas IT teams on Friday afternoon, seen by The Australian Financial Review, said the airline had “triaged a recent threat advisory from Google Cloud regarding the threat group Scattered Spider. This includes an allegation that they are currently targeting aviation sector organisations”.

The note went on to outline incidents targeting different airlines across the globe.

On Monday, hackers breached Qantas’ systems by tricking a call centre employee in Manila into granting them access to its database.

The note sent to Qantas IT staff last Friday told them to be alert for cybercriminals relying on phone-based social engineering, including impersonating employees when calling IT help desks or asking to change registered phone numbers or use self-service account recovery processes.

“Could you please remind the team to be extra vigilant, especially when handling calls that involve changing or updating mobile numbers or email addresses, or resetting passwords or unlocking accounts (including users that may have admin accounts),” the note read.

Qantas told IT staff to advise their teams to decline such requests, particularly if the caller seemed persistent or rushing. They were told to say the system would not allow the changes and advise that they would call back.

So they did the right thing and actively messaged their people a few days before the actual breach yet the breach seems to have occurred exactly as the centres were warned about.

 

[Aeryn]

So they did the right thing and actively messaged their people a few days before the actual breach yet the breach seems to have occurred exactly as the centres were warned about.

And yet that employee did not take enough care or take a second to think could this be phishing?

Just like our internal IT dept send these obvious phishing emails to see which employees are risks, and time and time again the same people fail to recognize and report the attempt and click on the bait - if it were me I would out them immediately on performance management (and restrict their access) and a second failure to recognize a phishing test say bye bye.

If you have access to sensitive data or systems you need to take great care before acting.

 

[SeatBackForward]

And yet that employee did not take enough care or take a second to think could this be phishing?

But where is that line that they're an employee get drawn? They might be sub-contracted by the Call centre in Manila? Watch the acrobatics to declare it wasn't an employee of Qantas etc etc..

 

[Aeryn]

But where is that line that they're an employee get drawn? They might be sub-contracted by the Call centre in Manila? Watch the acrobatics to declare it wasn't an employee of Qantas etc etc..

I dont doubt they will be acrobatics, hence would prefer call centres were onshore and in-house to remove this out.

But if Qantas warned its staff, Im also pretty sure that they would have passed on the advice to the call centre operators, who appear to have failed to make sure their staff complied.

When I have had to roll out policy and procedure changes, I've always had to do so to both direct staff and outsourced partner staff and test that message landed to both.

 

[oz_mark]

I dont doubt they will be acrobatics, hence would prefer call centres were onshore and in-house to remove this out.

But if Qantas warned its staff, Im also pretty sure that they would have passed on the advice to the call centre operators, who appear to have failed to make sure their staff complied.

When I have had to roll out policy and procedure changes, I've always had to do so to both direct staff and outsourced partner staff and test that message landed to both.

There is no guarantee that the social engineering part of the attack took place this week. Gaining access is sometimes followed by a bit of recon prior to the actual exfiltration....

 

[SeatBackForward]

But if Qantas warned its staff, Im also pretty sure that they would have passed on the advice to the call centre operators, who appear to have failed to make sure their staff complied.

Ah this is Risk Management by Contract. I remember having a similar conversation with a CTO. I asked what happens if there's an outage, and their response was that there are Service Level agreements with the provider. Which completely missed the point of the question.

Similar, simply passing on obligations via contracts, is hardly a way of managing the risk, it only serves to define penalties when such incidents occur.

Post automatically merged: Today at 1:10 PM

hence would prefer call centres were onshore and in-house to remove this out.

Yes this is the best solution - but as I said in another post, who gets bonuses for reducing profits (and misses out on another luxury yacht)? The benefits such action results never appear on a company's books.

 

[garrence]

I received a scam call a few days ago from 02 9691 3636 (indian accent) claiming to be from Qantas about a supicious booking, they knew my name but couldnt provide other information. Wonder if it is related to the cyber attack.

 

[Aeryn]

Ah this is Risk Management by Contract.

That is a leap. As stated above, I've personally planned and delivered training on revised procedures and policies for both in house and outsourced resources, and always had steps in place to audit roll-out as well as had teams do random calls to vet they changes are happening in practice or being complied with.

The contract yes is for penalties but that doesn't mean you only reply on that.

Of course risks go up when you out source because you can lose control and direct visibility of how messages are conveyed. Plus not everyone includes localisation training in the mix.

 

[SYD]

I received a scam call a few days ago from 02 9691 3636 (indian accent) claiming to be from Qantas about a supicious booking, they knew my name but couldnt provide other information. Wonder if it is related to the cyber attack.

Is your number listed?

 

[justinbrett]

I received a scam call a few days ago from 02 9691 3636 (indian accent) claiming to be from Qantas about a supicious booking, they knew my name but couldnt provide other information. Wonder if it is related to the cyber attack.

It’s too soon.

Just like all the Australia Post scams, it’s likely nothing to do with the company that’s being spoofed. It’s just that a lot of Aussies deal with companies like Australia Post and Qantas.

 

[SYD]

It’s too soon.

Just like all the Australia Post scams, it’s likely nothing to do with the company that’s being spoofed. It’s just that a lot of Aussies deal with companies like Australia Post and Qantas.

….Telstra, “the NBN”, CBA….

Scattergun scamming. Particularly using landline numbers - because older peeps still have them!

 

[jbman]

Is this not seen as news?
I haven’t seen anything on

https://www.executivetraveller.com/news

Or

Point Hacks

Find the best frequent flyer deals and credit cards rewards easily. Point Hacks helps you travel cheaper!

www.pointhacks.com.au

I noticed this guy put something

Qantas Cyber Incident Exposes Data of 6 Million Customers

A cyber breach at a Qantas contact centre leaked details and frequent flyer numbers of 6 million members.

flighthacks.com.au

Does this mean if released everyone will have direct phone numbers for QF exec?

The criminals accessed "principally customer names, also phone numbers and frequent flyer numbers as well".

 

[Telemachus]

Am I missing the point here? Many people saying that they use Authenticator/trust QF would reimburse any hacked or stolen points etc, which I get. But isn’t there a bigger risk for identity theft or other financial mischief away from QF if hackers have your name, address, email and DOB - which info is commonly used to authenticate transactions to reset passwords, port phone numbers (OMG the trouble if someone ports your phone number), etc etc.

Now I’ve read to the end of the thread, I’m “reassured” that others see the same issues that I do. So not catastrophising, this is actually pretty bad.

The thread has since been on a bit of a journey around other discussion points but your point made yesterday morning is still (for me) the central issue re the nature and extent of additional personal vulnerability arising from the breach. More of today’s posts – and media commentary – are now talking about the ID theft risks and I’d hope to see increased focus on this and on what each of us affected could/should consider doing.

The personal data fields QF has told us were compromised should not provide unauthorised access directly to anything. So the thief (or others to whom the data is sold) will want to leverage what they have obtained from QF, with/without complementary data from other sources, to build a richer dataset to facilitate ID theft and fraud.

My own personal risk assessment yesterday concluded that my exposure has increased only slightly though I’m not complacent about it. I suggest there are – broadly – 3 categories of potential attack vector:

1. Exploit the QFF member number to impersonate QF and seek to extract more identifying particulars from individual QFF members. Obviously most of us are now sensitised to this.
2. Another option to exploit the QFF number, in combination with personal particulars, could be to target businesses which award QFF points, by impersonating the customer to obtain additional details about customers.
3. Use the compromised data as the basic building blocks to construct a fuller profile sufficient to apply for bank account, loan, card etc i.e. the long game where much will depend on the effectiveness of targets’ protection of their other personal details/documents.

It is (3) that concerns me most, with (1) & (2) just intermediate steps. Still early days, it remains to be seen what else QF discovers and discloses which may change the initial assessment. In the short term the only new action I’ve taken is to request bans from Equifax, Experian and Illion on the issue of credit reference reports for 21 days from yesterday: thanks to @albatross710 for the reminder and link in post #224 that this can be done for all three by filling in one form.

 

[I love to travel]

It’s too soon.

Just like all the Australia Post scams, it’s likely nothing to do with the company that’s being spoofed. It’s just that a lot of Aussies deal with companies like Australia Post and Qantas.

Interesting, and probably coincidentially I got a call on Tuesday night saying I had a passport issue. Hung up straight away. An then another one from Telstra today (I am not with them) So I am not disputing that it might be too soon, but after nothing for months to get 2 scam calls within 24 hours is interesting.

 

[justinbrett]

It is (3) that concerns me most, with (1) & (2) just intermediate steps. Still early days, it remains to be seen what else QF discovers and discloses which may change the initial assessment. In the short term the only new action I’ve taken is to request bans from Equifax, Experian and Illion on the issue of credit reference reports for 21 days from yesterday: thanks to @albatross710 for the reminder and link in post #224 that this can be done for all three by filling in one form.

I just don’t think that’s credible in 2025. Scammers are everywhere and financial institutions are well aware of it. If you’ve applied for credit or dealt with any financial institution recently you’ll know you’re not going to get far with this kind of data.

I did a large transaction with my bank last year and I had to film a video for them as part of the authentication (it was for a house deposit).

 

[Aeryn]

It’s too soon.

Not really the data was stolen on Monday, if this was a planned attack they could have easily already had use cases in mind and be using it already themselves even if also planning to sell it.

I would not be surprised at all if they are already trying to get guess pins based on DOB and post codes they have stolen.

 

[justinbrett]

Not really the data was stolen on Monday, if this was a planned attack they could have easily already had use cases in mind and be using it already themselves even if also planning to sell it.

I would not be surprised at all if they are already trying to get guess pins based on DOB and post codes they have stolen.

That doesn’t fit the profile of Scattered Spider, who they’re pretty sure is behind this. More likely to be asking for random and/or selling rather than low level scams.

Won’t get too far with QF with 2FA on by default.

 

[QFFHntrGthr]

In the short term the only new action I’ve taken is to request bans from Equifax, Experian and Illion on the issue of credit reference reports for 21 days from yesterday: thanks to @albatross710 for the reminder and link in post #224 that this can be done for all three by filling in one form.

I find Illion the easiest to fill the form with and tick the notify the others box so you only need to do it once. You can also request for the ban to be extended to a year. I, having fallen victim some years back, have renewed the ban every year since. I request for the ban to be lifted (Illion allows you to request the lift for a set period of time, the other 2 don't) when I need for a credit check to be done. Once my application is finalised, I apply to have the ban to be placed again. Once again, requesting the ban can be done with just one and ask for the other 2 to be notified. Iiiion and Experian responded almost straight away that the ban is in place. Equifax can take a little while.
The request to lift has to unfortunately be done with each individually. Illion always approves straight away. Experian states it can take up to 24 hours but seems to approve straight away as well. Equifax states it can take up to 24 hours and they mean it. If in a hurry (since the other 2 are already lifted), you can ring Equifax and they are willing to act on it promptly.
Last time I lifted my ban for only 5 hours. When all 3 bans were lifted , I put in my application for a new NBN ISP. Once the ISP sent me an email to confirm my account had been approved, I immediately had the ban reactivated. Immediate peace of mind.
The hackers seem to play for the long term. In this instance, unless the hackers also have your current proof of ID details - Drivers licence (the card number is crucial here), Medicare and Passport, they don't have enough of your info to do any financial transaction in your name so unlikely to get to the credit check stage. Then again, pays to be vigilant and take as much precautions as will put you at ease.