QANTAS Cyber Incident

[RooFlyer]

It is (3) that concerns me most, with (1) & (2) just intermediate steps. Still early days, it remains to be seen what else QF discovers and discloses which may change the initial assessment. In the short term the only new action I’ve taken is to request bans from Equifax, Experian and Illion on the issue of credit reference reports for 21 days from yesterday: thanks to @albatross710 for the reminder and link in post #224 that this can be done for all three by filling in one form.

Agree with all you say. I too have put a ban on credit reference reports via @albatross710 's link (thanks). As I'm not in the market for credit anymore, I should have done that before and it can stay as far as I'm concerned (I'm aware that it needs to be refreshed in 21 days).

you’re not going to get far with this kind of data.

You missed what Telemachus said. Its not this data per se, but this data combined with other data out there to build a larger profile of someone, or a group. The 'this data isn't important or very useful' attitude is looking pretty narrowly at the overall problem.

 

[Dee#]

I'm one of the unlucky ones with 2 emails from qantas. Also my email spam and phone unsolicited calls went up . Someone tried to access my Google account . It always *hits me when I get transfered by phone to someone who doesn't speak English clearly in any service industry. This is double *hits. Thank you Qantas.
So how much $$$ are you going to compensate me .
Really worried how safe their planes are after this stuff up .

I've already signed up with the lawyers for the class action re delays/non existent flights. That was the last flight I got with them. Been Virgin for ages

 

[justinbrett]

You missed what Telemachus said. Its not this data per se, but this data combined with other data out there to build a larger profile of someone, or a group. The 'this data isn't important or very useful' attitude is looking pretty narrowly at the overall problem.

No I didn’t miss it. You’re not going to find the data that lets you access my bank account or open a credit card in my name. If my drivers licence number leaked as per Optus I might be more worried but without that (and more) you’re not going far in 2025.

As I said the focus needs to be protecting the access point which all financial institutions I deal with have. Even Woolies require 2FA.

The main threat of this breach is being targeted for scams, and that is a real problem. It’s already to the point I don’t trust any phone call, text or email unless I am confident it’s genuine. Even then I have come close to being tricked.

 

[lovestotravel]

I suspect that there has been a lot about what happened that has not been disclosed as yet (and may not be).

It is being represented that a scammer has tricked a call centre agent into giving up their credentials which allowed the scammer to access the system and access the data. Unless security is ridiculously lax, not front line call centre agent credentials would have the necessary access to allow mass download of data like that. They would have screen based data to a limited amount, the ability to search etc., but not to mass extract.

If it is an administrator that has been scammed, then it is not someone who would be expected to be taking calls, so a quite different scenario - and someone who should be much more aware of the implications of handing over credentials. These sorts of credentials should also have more Multi-Factor security and other restrictions applied as well.

I think that the details released are probably factual, but carefully crafted so that they lead to assumptions about the actual scenario which are not correct. The possibility of it not being a person being scammed, but rather financially induced may be more likely than other possibilities.

Entry level consultant/drone on Salesforce shouldn't have any report access, if they did QF is hopeless.

It would be someone with higher privileges who has report access, then it's simply a case of picking/editing a report and downloading/exporting...

6 Million lines would take a while though...

 

[kelvedon]

I know in the ADF, who use a similar commercially supplied system (I think SAP?),

OPSM lost a $37M spectacle supply contract with the ADF in 2014 because they stored the data overseas.

 

[Seat0B]

@Telemachus and @albatross710, may I ask what is the purpose of keeping a credit report locked in this context? Is it to prevent bad actors using various bits of data to obtain your credit report and use that for further mischief?

I’m quite peeved as I’ve checked a couple of the sites suggested in this thread and one mentioned in ABC news, and until now, my email address was apparently the only thing out there, and there was insufficient data to generate a profile for me. My email address has been associated with a business - I’m getting a new one over the weekend. So now there will be new info about me out there as a result of the QF hack. Grrrrr

 

[Seat0B]

I mean I'd love a Qantas website that did every thing a QF call center could do...

Oh you mean tell me that Qantas only flies between CBR and SYD twice a day, or cancel the entire international itinerary when I call to make an inquiry only about changing the timing of a connecting flight to SYD, or tell me that I am compelled to accept the involuntary changes to a flight exactly as offered or else I will have to pay extra, or…….

 

[Aeryn]

@Seat0B I believe the block stops companies being able to access your credit file. So if someone tries to apply for credit using your identity they couldn't get past the credit check.

Noting that its not just applying for a loan or CC that that triggers checks, things like changing mobile phone plan or internet provider can do the same.

 

[Seat0B]

Data retention rules should have removed that data from their systems in that time.

It’s totally time for the government to intervene in excessive data retention - both in terms of the data collected and also how long it’s retained.

 

[opusman]

It’s totally time for the government to intervene in excessive data retention - both in terms of the data collected and also how long it’s retained.

Australian regulations are sadly lacking in this regard.

As a point of comparison, my partner works for ANZ Bank (an Australian/New Zealand company) and the NZ government will not allow any data of NZ residents to be processed or stored offshore. No such protections for us!

 

[dbpremium]

I notice the Qantas website has been updated with the following:

• Next week, we will be in a position to update impacted customers on the types of their personal data that was contained in the system. This will confirm specific data fields for each individual, which will vary from customer to customer.

I suspect this means more data items than previously mentioned might have been exposed. Is it possible if PNRs have been exposed that a booking record could be accessed using PNR + Surname? If so then people who have entered their passport details into Advance Passenger Information will therefore have this exposed too? Is this possible?

 

[Telemachus]

@Telemachus and @albatross710, may I ask what is the purpose of keeping a credit report locked in this context? Is it to prevent bad actors using various bits of data to obtain your credit report and use that for further mischief?

The aim is to prevent a scammer from opening an account in my/your name. When you apply for credit (bank account, credit card, phone, gas/electric supply etc) the provider does a credit ref check with one or more of the 3 agencies. By putting a ban in place you signal to the credit provider that there is a problem, they decline the application, the scam is defeated and you are notified. See post above by @QFFHntrGthr for further detail including how you can lift the ban temporarily when you want to make a credit application (a genuine one) yourself. Edit: @Aeryn has explained it better than I did with fewer words.

In this context note that no-one is suggesting the QF-compromised data will suffice, alone, to enable this sort of fraud. The criminals will need to aggregate it with other compromised data they acquire on the dark web, &/or succeed with further targeted scams to gain access to your DL (for example), before they use your ID to apply for a bank a/c or whatever with any realistic chance of success.

I’m not advocating that everyone needs to institute a credit reference ban. I’ve done it as an additional layer in what was already a pretty risk-averse personal cyber security regime. I'll wait to hear more from QF in the next few weeks before deciding whether to extend the ban.

 

[Seat0B]

@Seat0B I believe the block stops companies being able to access your credit file. So if someone tries to apply for credit using your identity they couldn't get past the credit check.

Noting that its not just applying for a loan or CC that that triggers checks, things like changing mobile phone plan or internet provider can do the same.

Thanks @Aeryn, sounds like I might need to do this then as I’m not seeking loans or CC.

 

[Seat0B]

The aim is to prevent a scammer from opening an account in my/your name. When you apply for credit (bank account, credit card, phone, gas/electric supply etc) the provider does a credit ref check with one or more of the 3 agencies. By putting a ban in place you signal to the credit provider that there is a problem, they decline the application, the scam is defeated and you are notified. See post above by @QFFHntrGthr for further detail including how you can lift the ban temporarily when you want to make a credit application (a genuine one) yourself. Edit: @Aeryn has explained it better than I did with fewer words.

In this context note that no-one is suggesting the QF-compromised data will suffice, alone, to enable this sort of fraud. The criminals will need to aggregate it with other compromised data they acquire on the dark web, &/or succeed with further targeted scams to gain access to your DL (for example), before they use your ID to apply for a bank a/c or whatever with any realistic chance of success.

I’m not advocating that everyone needs to institute a credit reference ban. I’ve done it as an additional layer in what was already a pretty risk-averse personal cyber security regime. I'll wait to hear more from QF in the next few weeks before deciding whether to extend the ban.

And thank you also @Telemachus. I’m also pretty risk averse in this area because I know someone who suffered an identity theft and it has been absolutely harrowing for them to get their life back in order.

 

[justinbrett]

In this context note that no-one is suggesting the QF-compromised data will suffice, alone, to enable this sort of fraud. The criminals will need to aggregate it with other compromised data they acquire on the dark web, &/or succeed with further targeted scams to gain access to your DL (for example), before they use your ID to apply for a bank a/c or whatever with any realistic chance of success.

I’m not advocating that everyone needs to institute a credit reference ban. I’ve done it as an additional layer in what was already a pretty risk-averse personal cyber security regime. I'll wait to hear more from QF in the next few weeks before deciding whether to extend the ban.

But that’s the bit you need to be worried about, and is why states (who hadn’t already) implemented things like a licence card number separate to the licence number.

The Optus breach did a lot of good in strengthening systems against ID theft. Any organisation that holds such ID information, which would be a small list, should definitely have heightened security measures not not fooled by a scammer with your name and DOB.

 

[oz_mark]

Household of 4.
- 16 year old and I got the second email
- 12 year old and partner didn't.
None of us have ever used a call centre.

I am not sure of the 'why' of the age cutoff, but

• Separately, all impacted customers aged 15 and above for whom we hold an email address have been notified of the impact in a second email. This email was sent prior to 1pm (AEST) Thursday 3 July. Please ensure you check your junk/spam folder.

 

[pauldab]

For those wanting to lodge a ban on credit reports, I've done mine with Equifax at www.equifax.com.au/ban and the email confirming the ban came back within 30 minutes after I submitted.

 

[Aeryn]

Australian regulations are sadly lacking in this regard.

As a point of comparison, my partner works for ANZ Bank (an Australian/New Zealand company) and the NZ government will not allow any data of NZ residents to be processed or stored offshore. No such protections for us!

Actually have worked at multiple Aussie banks that is not true. The Big 4 (CBA, WBC/SGB, ANZ, NAB) all required to keep all customer financial data onshore. Only processing of things like invoice payments (electricty, rent etc) are allowed to be done offshore.

And company who has any level of Government as a customer is not allowed to store any of their data offshore with a couple of exemptions if its in 5 eyes partner country.

 

[elanshin]

Slightly off topic but @mods do we need also separate warning threads that Hawaiian and WestJet has also had breeches? Just less information about what data was taken in theirs that I can find immediately.

 

[Aeryn]

The Optus breach did a lot of good in strengthening systems against ID theft. Any organisation that holds such ID information, which would be a small list, should definitely have heightened security measures not not fooled by a scammer with your name and DOB.

Optus and some banks no longer store any identity documents, they use MasterCard ID to validate your license/passport with the issuer then just store an identity verification number (a reference to the unique check that was done) and not any details of the ID document other than type used.

The biometric part of the test is only stored on your own device. Unfortunately MastercardID is embedded in the Optus or banks app at them moment there isnt a universal one for use across different companies.

So this is a plus of strengthening security; unfortunately as far as Im aware all airlines require passport details to be associated with international tickets. If you think about it only needing a PNR and Surname to access a booking is poor security, especially since the APIS has your passport details.