QANTAS Cyber Incident

[Aussie_flyer]

I have to say I am a bit surprised that the media interest in this story has died our so quickly, especially with people receiving multiple emails about what has been breached. Where is Joe Aston when you need him?

What else can they say?

 

[serfty]

If the system allows you to create your own questions for the random question to log in, you can make questions which no one else could even understand much less even attempt to answer.

Oh I would love to be able to create my own questions. Make it much easier

I create my own answers which have no relation to the question.

 

[moa999]

Possible report of use of information on Reddit.

Note the OP has not responded to say whether the information "number of points" is near accurate or just a hope and send strategy

https://www.reddit.com/r/QantasFrequentFlyer/s/e4KxZuM1GO

And a very odd expression of time.

 

[mrsterryn]

I create my own answers which have no relation to the question.

How do you remember the association?
Eg" first home suburb" is the question how would you typically answer that and remember?

 

[RealtimeY]

Write it down - ideally in something secure like a password manager.

 

[Aeryn]

It’s fine. The 3 questions are an old verification method, however they are considered too easy to compromise. You can’t change your DOB nor your mother’s maiden name. Make sure you have MFA on your mobile providers account.

Actually not that old, it was introduced sometime after I became a QFF member, as as such I was never able to add questions and answers after the fact; so need to rely solely on MFA.

 

[kookaburra75]

How do you remember the association?
Eg" first home suburb" is the question how would you typically answer that and remember?

I sometimes pick a TV show that I like and can remember easily, and use the addresses, names etc from that. I have never entered my 'real' information, especially for my mother's maiden name.

 

[serfty]

How do you remember the association?
Eg" first home suburb" is the question how would you typically answer that and remember?

I use mnenomics or similar generally based on the question.

A simple example (I do use something more complicated than what follows) is the first letter of every word in the question.

 

[RooFlyer]

What else can they say?

Maybe something about the fiasco of us receiving that second email with a different list of compromise data.

 

[I love to travel]

What else can they say?

Maybe something about the fiasco of us receiving that second email with a different list of compromise data.

Agree. Also, whilst its optics, just the timing of Green Tier changes and raising change fees - seriously, it takes a company with a lot of gumption to make negative changes so soon after 6 million of their customers were hacked.

 

[Aussie_flyer]

Maybe something about the fiasco of us receiving that second email with a different list of compromise data.

Qantas cyberhack worse than 1.1 million customers were first told

www.9news.com.au

There you go

 

[NM]

How do you remember the association?
Eg" first home suburb" is the question how would you typically answer that and remember?

Keepass is my tool of choice. Then the answer does not even need to be something I can remember or even pronounce - no, I am not Welsh, even though my answer to that question may appear to be a small town in Northern Wales

 

[RooFlyer]

Qantas cyberhack worse than 1.1 million customers were first told

www.9news.com.au

There you go

Good-o. From that article:

However, today, 1.1 million of those customers received a second email from the airline, informing them more data had been stolen than first thought.

Qantas has told some custers they had more data stolen in last week's cyberattack than they were first told.
In the vast majority of these cases, customers' phone numbers have been stolen, on top of the other information they had been informed of earlier in the week.

But that's odd - because people here receiving e-mails on Thurs/Friday reported FEWER data fields had been taken - in most cases 9 down to three. Which do we believe?

Still, Nine were close. Rather than 'custers', its clearly a cluster ....

 

[DejaBrew]

But that's odd - be use people here receiving e-mails on Thurs/Friday that reported FEWER data fields had been taken - in most cases 9 down to three. Which do we believe?

As someone who was initially advised 9 out of 11, and then subsequently 3 out of 11, I'm going to be assuming the worst case scenario.

 

[moa999]

As someone who was initially advised 9 out of 11, and then subsequently 3 out of 11, I'm going to be assuming the worst case scenario.

Think most have assumed it was two separate entries in the database, maybe one personal FF, one business rewards for example.

 

[DejaBrew]

Think most have assumed it was two separate entries in the database, maybe one personal FF, one business rewards for example.

To the best of my knowledge, I would only have one entry. Don't have Business Rewards and have never used the same credentials on a secondary/family account. Additionally, my second communication was received from a different Qantas email and a different template.

 

[dairyfloss]

Think most have assumed it was two separate entries in the database, maybe one personal FF, one business rewards for example.

Yes I’m assuming QBR for the less detailed one. My QFF and QBR accounts share an email account (or did until a point) for mine

 

[MEL_Traveller]

I decided to reduce my risk as far as my QFF account is concerned, and make a few QFF reward bookings over the weekend. Even booking a CR+ international Y award as that was the only option in the date range needed. Probably not the greatest value for money, given that the flight was available with a "Sale" fare, but that also meant the CR+ was not much more expensive than CR rate.

But still a healthy balance remains. QFF 2-factpr authentication was setup a few weeks ago - perhaps I knew what might be coming? Or just knew that QF's security processes were likely vulnerable.

How does it reduce risk?

If you still have a points balance you’d have to ask QF to refund those anyway.

And if your account is hacked, they just need to cancel your existing flights and rebook them.

 

[MEL_Traveller]

Possible report of use of information on Reddit.

Note the OP has not responded to say whether the information "number of points" is near accurate or just a hope and send strategy

https://www.reddit.com/r/QantasFrequentFlyer/s/e4KxZuM1GO

And a very odd expression of time.

That is concerning, Could see some people falling for that. A very minor tweak to say ‘xx_ points as of 1 July’ would explain away any inaccuracy.

A further posted in the thread wonders whether spelling mistakes or odd expressions are intentional as they weed out people who are unlikely to fall for the scam, leaving those who might be more susceptible

Now I am seeing how this data can be out to use

I think there’s going to be a long time where QF will have to potentially reinstate any expired points, given many might not act on emails from QF in the future, or might not even see emails if they go straight to junk.

 

[NM]

How does it reduce risk?

If you still have a points balance you’d have to ask QF to refund those anyway.

And if your account is hacked, they just need to cancel your existing flights and rebook them.

Now you have just ruined my cunning plan

I guess I was assuming any hacker would be in and out as quickly as possible without looking at current award bookings they may be able to cancel to get a few more points to transfer out.