QANTAS Cyber Incident

[justinbrett]

We did exactly the same. Middle name added. For two accounts. But Qantas still says details missing.

The QF profile doesn’t have a separate middle names field it’s just given names so whether it’s name-initial or name-name I don’t think it could know the difference. These errors must be caused by something else, I’ve never got it.

 

[Seat0B]

Wonder if they are staging the advice e-mails, minimal impact first. So the conversation goes 'Oh, its not so bad then'. And that may be working.

I haven't had any advice email as yet, so I hope you are wrong, but I bet you are not.

 

[SYD]

The QF profile doesn’t have a separate middle names field it’s just given names so whether it’s name-initial or name-name I don’t think it could know the difference.

OT, but as mentioned earlier - when you book an international flight and try and enter your full name as per PP, editing the middle initial to full middle name would delete ALL name fields…. Now for me, it’s automatically populated but I don’t like the app now greeting me as “Hi Firstname Middlename” - which, yes is probably a sign that their system only really wants first name.

These errors must be caused by something else, I’ve never got it.

It comes and goes on the website. At first I thought it was phone numbers but they were correct. Getting QF to change middle initial to middle name did clear the error but then it came back….currently gone again - for now.

 

[Askance]

What help do you need exactly?

Personally I'd like them to connect affected customers with one of the credit reporting bodies

 

[sudoer]

But Qantas still says details missing.

If you're talking about the below error, I had it for several months in the lead up to May and a ticket to QFF helped get rid of it .. somehow.



Despite following the prompts to update profile the error wouldn't disappear. I just put up with it. Then in May, when trying to purchase gift cards from QF Marketplace, the below error appeared and I couldn't check out.



I buy quite a lot of GCs through QF Marketplace and this error occurred exactly when it usually sends an SMS 2FA code.

So I call QFF, the agent confirms my phone number & street address were correct (so those details might be in the data breach - great!) and they advised to also email screenshots, which I did. Two weeks later got a generic email from the VIP team saying the issue should be rectified, and it was.

 

[dairyfloss]

I hope they do not issue me new FF number. I like my 5-digit number and it is etched in my memory. I hope any such re-issue of membership numbers would be done on an oipt-in basis for those who do hold concerns.

Someone knowing my QFF number does not concern me, given that I have 2-factor authentication setup with Qantas so accessing from a new device would require to know my PIN and have access to my phone authentication app.

Agreed - I don’t really care about the 3 elements suggested in this example being ‘out there’, as they are pretty useless without access to a range of other elements, plus having 2/MFA and security questions in play.

Like you, I think I’d opt to retain the same number, but some might feel more comfortable with changing, and aren’t fussed about their actual QFF membership number.

Cheers,
Matt.

 

[lovestotravel]

OT, but as mentioned earlier - when you book an international flight and try and enter your full name as per PP, editing the middle initial to full middle name would delete ALL name fields…. Now for me, it’s automatically populated but I don’t like the app now greeting me as “Hi Firstname Middlename” - which, yes is probably a sign that their system only really wants first name.

It comes and goes on the website. At first I thought it was phone numbers but they were correct. Getting QF to change middle initial to middle name did clear the error but then it came back….currently gone again - for now.

Qantas on all profiles sets first name as FIRSTNAME MIDDLEINITIAL - Well that's what it wants....

Personally I'd like them to connect affected customers with one of the credit reporting bodies

Agree - But they won't do it...

 

[RooFlyer]

For the Qantas statement

First and foremost, we have uplifted all of our controls through the contact centres, including monitoring ...

“We’ve also taken precautionary steps to increase and uplift controls around our frequent flyer accounts … out of an abundance of caution.”

I guess 'uplifting controls' sounds better then 'increasing security' ?

 

[There'sOnlyOneJimmy]

I got my follow up email. Looks like I got the full bingo card…

Our cyber security teams have undertaken an investigation and we can confirm that the following types of your data held on the compromised system was accessed:

• Name
• Email address
• Qantas Frequent Flyer number
• Tier
• Points balance
• Status Credits

​

 

[kerfuffle]

• Name
• Qantas Frequent Flyer number
• Tier

Is what I got

Bronze with hardly any points

 

[SYD]

I got my follow up email. Looks like I got the full bingo card…

Our cyber security teams have undertaken an investigation and we can confirm that the following types of your data held on the compromised system was accessed:

• Name
• Email address
• Qantas Frequent Flyer number
• Tier
• Points balance
• Status Credits

​

That requires:
Phone number
Gender
Meal preference (if any)….

 

[Aeryn]

That requires:
Phone number
Gender
Meal preference (if any)….

and DOB

I do find it disappointing that they have given full stats to the media ahead of notifying customers of their individual impact.

 

[justinbrett]

and DOB

I do find it disappointing that they have given full stats to the media ahead of notifying customers of their individual impact.

I think it takes a while to send 6 million emails

 

[gtrod]

Name, Tier, and QFF number is all you need. No login required to make a booking. No login required at Check in (just booking ref and name).

There's no ID checking on domestic flights. Simply book your flights as your favourite Platinum 1.

Enjoy the great seat selection, blocked seat beside you and free lounge access

 

[AuSammy]

and DOB

I do find it disappointing that they have given full stats to the media ahead of notifying customers of their individual impact.

So simultaneously you accuse them if not sharing information quickly enough and then complain because they are trying to be as open as they can with the analysis of information coming to hand

 

[offshore171]

and DOB

I do find it disappointing that they have given full stats to the media ahead of notifying customers of their individual impact.

That's something they cannot be faulted on.

They are a listed company and subject to the "continuous disclosure" provisions of the corporations act.

From Google:
"Listed companies in Australia, like those on the ASX, are subject to continuous disclosure rules. These rules, found in the Corporations Act 2001 and the ASX Listing Rules, require companies to immediately disclose any information that a reasonable person would expect to have a material impact on the price or value of their securities. This ensures transparency and equal access to information for all investors. "


TLDR: They have to make any such announcements (that may affect the stock price) in such a way that everyone finds out at the same time.

You cannot guarantee that when sending out 6M emails

 

[AuSammy]

The last 15 or so years under AJ and VH. Qantas has minimal to zero goodwill and therefore some people are going to be angrier about this than they might usually have been

Ah so a presumption that may or may not be true asserted as a fact to confuse the issue for concerned people coming here to find & discuss the facts.

 

[justinbrett]

Name, Tier, and QFF number is all you need. No login required to make a booking. No login required at Check in (just booking ref and name).

There's no ID checking on domestic flights. Simply book your flights as your favourite Platinum 1.

Enjoy the great seat selection, blocked seat beside you and free lounge access

Anybody with status uses their Qantas app / website enough to see the erroneous booking.

Wouldn’t work with international as passport won’t match, so restricted to QFd only.

 

[Aeryn]

So simultaneously you accuse them if not sharing information quickly enough and then complain because they are trying to be as open as they can with the analysis of information coming to hand

Seriously? You think its more important to provide a media update with total stats rather then giving the affected customers information re which bit of their personal data were leaked.

Qantas has a duty of care to impacted customers, the media and those who were not directly impacted can wait for their gossip.

 

[33kft]

Name, Tier, and QFF number is all you need. No login required to make a booking. No login required at Check in (just booking ref and name).

There's no ID checking on domestic flights. Simply book your flights as your favourite Platinum 1.

Enjoy the great seat selection, blocked seat beside you and free lounge access

Whilst I'm not a P1, if anyone would like to fly with all of the trappings of WP and donate me their SCs feel free to reach out for my details

That said I'd probably want to do some screening to avoid being permanently banned should my mystery flyer play up midflight