QANTAS Cyber Incident

[RooFlyer]

so do you think if I call them they will pay for credit monitoring

. I did call them, twice and their resource IDCare all they said literally was there’s nothing to worry about. Those words.

 

[VPS]

. I did call them, twice and their resource IDCare all they said literally was there’s nothing to worry about. Those words.

WTAF - that is appalling.

I have had a couple of breaches with an old employer and something else that I can't remember but both offered free credit monitoring for a year

 

[Pushka]

I am in no way supportive of Qantas. This has been am abysmal response here!..... but my deductions with respect to the inconsistent emails (reviewed across 5 accounts that I manage) is that emails were sent to the email address that was used, in the actual interaction with the Manila call center (or frequent flyer email/ contact forms) at the actual time of the transaction. Which in my cases, was not always the email address associated with the accounts I manage. So I got some emails with breach information that were never directly associated with the frequent flyer account, but to the email I used in the interaction.
So I am guessing that the online version, of what data was hacked, is a reverse lookup of their database (indexed by email address) and is identifying hacked information associated with the frequent flyer account and not with the email address used in the interaction.
Theory only, but holds true for me. (If true, it would mean I also got emails sent to addresses I no longer have)

I've only ever used one email with anything Qantas.

 

[prozac]

I’m of the opinion Qantas is just sitting on their hands waiting for it all to go away. MSM has completely dropped off the story.

Doing a AJ and gone to Ireland to look after a sick mum, wait until the dust settles. He never had to front the committee and give evidence and has not had to face the music for refusing to do so. VH being an avid AJ devotee is trying the same tactics. Keep quiet it'll go away.

 

[Flyerwin]

I've only ever used one email with anything Qantas.

Ironically, I was using my main email with them, but then I got hacked via Optus/ Medibank, so changed to a less used one, but now that's hacked as well - so I guess I just live with it.

 

[Telemachus]

. I did call them, twice and their resource IDCare all they said literally was there’s nothing to worry about. Those words.

WTAF - that is appalling.

I have had a couple of breaches with an old employer and something else that I can't remember but both offered free credit monitoring for a year

I decided not to bother phoning, after seeing posts here on how useless the people giving ‘specialist identity protection advice’ had shown themselves to be, but I did email QF Customer Care with a specific request for credit monitoring. Others, I believe, have done the same. All I got back was a pro forma reply fobbing me off and containing nothing about credit monitoring (see my post #1256).

The QF pitch in public statements is that no financially sensitive details have been compromised and none of the exfiltrated PII has (yet) been 'released' by the hackers. The implication is that the risk does not justify measures such as credit monitoring even for the sub-set of customers who scored the full bingo card. I take a different view and have signed myself up for a subscription to Equifax Credit & Identity Protect.

 

[Beano]

Ironically, I was using my main email with them, but then I got hacked via Optus/ Medibank, so changed to a less used one, but now that's hacked as well - so I guess I just live with it.

Our company virus and scam protection is exceedingly thorough. It traps emails from genuine Australian and New Zealand government agencies and even its own SharePoint system. Do I need to worry about the Cyber Incident? In one case during COVID when you needed a test result and approval to go to New Zealand the system quarantined the positive response form NZ immigration and didn't release it until about 1 hour before departure. We had to use our personal emails to get a quick response, which took a long time before we realised what was happening!

 

[Q Class Plebeian]

Some people got emails containing Passport Number too!

I received a few spam emails last week.It's the same account I have on my QFF. One email was very suspicious .So I have changed my QFF email address to an encrypted service.

 

[Beano]

I received a few spam emails last week.It's the same account I have on my QFF. One email was very suspicious .So I have changed my QFF email address to an encrypted service.

Great idea. I will do the same.

 

[Hayley.campbell24]

Thanks for all the updates!!

 

[Princess Fiona]

Some people got emails containing Passport Number too!

Has this been verified anywhere ?

 

[RSD]

Well a small win - the QBR team in Manila have managed to transfer the points balance in my business rewards account to my personal FF account - small win! They still can't get me back into my business rewards account...

 

[SYD]

Well a small win - the QBR team in Manila have managed to transfer the points balance in my business rewards account to my personal FF account - small win! They still can't get me back into my business rewards account...

Did they say it was related to the hack?

I had some issues getting in that day but punched through with a password reset- mind you, the QBR login has always been a bit temperamental for me.

But I’d be miffed if I was Level 2 or 3 and couldn’t access the discounts!

 

[RSD]

Did they say it was related to the hack?

I had some issues getting in that day but punched through with a password reset- mind you, the QBR login has always been a bit temperamental for me.

But I’d be miffed if I was Level 2 or 3 and couldn’t access the discounts!

They haven't admitted that it is related to the hack (what hack?) but I suspect that it is - the problem started that day and I haven't been able to get into the account since. I was half expecting them to say that there were no points in the account to transfer.

I'm level 2 but have been using up my points stash recently before the devaluation but will need to book some cash fares soon. Am getting beyond a little annoyed that they can't fix the problem and get me back into my account.

 

[amidon7]

TL;DR, IDCARE are useless, but their advice is dangerous and cynical.

So .. I had a bit of back and forth with IDCARE. As others have foreshadowed on here, they are quite useless. I had hoped to impress upon them, that some items of personal information lost are immutable. i.e. it is impossible to change one's date of birth and almost impossible to change addresses at will. They kept asserting that losing these are "low risk", as it is not possible to set up new accounts with banking and other services just using this information. However, I kept trying to press the point that that several pieces of information were lost together, meaning that they can be used together. Also, if a further cyber event of this kind occurred, additional information made available via the dark web could be consolidated together that would make it much more likely that scammers could steal the identity of victims. They wouldn't hear it. Said that their risk assessment was clear that this was low risk, and all we needed to do was to remain vigilant for phishing attacks. I therefore asked for their risk assessment document, and they refused, saying it is Internal Confidential. That's when I rather lost my cool. I thought I'd share my response here, simply for catharsis. Not sure whether anyone was able to get much further, but my objective was to try and persuade them to support me in my efforts to at least get QF to pay for live monitoring of my credit file to alert me when someone tried to use the information for credit. Epic fail.

Hello Molly

Thank you for the detailed e-mail that provided precisely no specific information at all. I am not confident that IDCARE know what they are doing, and if they do, I fear that they have simply been contracted to provide empty reassurances to Qantas customers who have been affected by this. I suppose the hope is that we will just tire of explaining the obvious dangers here, and go away. Therefore, this appears to be a cynical exercise on the part of both Qantas and IDCARE, which is disappointing and frankly, enraging.

In relation to IDCARE's processes, the fact that assertions are made about risk with no transparency as to how the assessments were conducted, is totally unprofessional. Risk assessments should not be classified Internal Confidential, but instead be available to all customers who are being advised on risk. It is absolutely not ok to hide behind internal confidential documents to make assertions that are manifestly untrue.

As I keep saying over and over again, the fact that the specific information lost is insufficient to create new accounts or obtain credit is not the point. That level of assessment is hopelessly naïve. The point is that the information lost is immutable (I cannot simply change my date of birth or address) that should have been kept totally confidential. It is imperative that assistance be provided to affected customers for real-time monitoring of whether this information has been used. Very few additional pieces of information together with that lost would be sufficient to totally compromise my identity, and if we keep going as we are, this will be available to the scammers in the near future. My initial hope that IDCARE would have put some thought into the consequences of this data loss and provide credible advice appears to have been in vain. What I don't need is warnings to maintain personal vigilance. Qantas customers do not need an organisation like IDCARE to tell people the bleeding obvious. As such, I see no value in your advice or your company whatever.

Sincerely,

 

[AustraliaPoochie]

IDCARE and the ACCC Anti Scam Centre, cant really do much.
The breach has already happened, and that our info is already out there, in/on the dark web.
Qantas said to contact IDCARE, IDCARE said its a small matter, they have all effectively "washed their hands of the matter", nothing can be done/undone, its not like we or they can magically wipe the data that is on the dark web.
In fact, re adding all the available data from Optus/Medibank/Latitude and now this Qantas breach, am sure the scammers are already knowledgeable on all the info they have.
Too little, too late.
Qantas should have had a password that only they and their service provider knew, but the service provider were too keen on believing what/who the scammer said they were, using AI, and QF didnt have a special code word... so I blame both sides.
Lax systems on the side of the call centre, and also on Qantas.
===---===
No one would admit it, but I wonder if/who the scammer said they were, if they said they were VH and needed the info of 6m Aus QF/QFF members for what ever reason...

 

[MEL_Traveller]

Good question… is any one company responsible for the collective risk through multiple data breaches?

Is the company that disclosed my driver licence three years ago now to be reprosecuted because my DL from then, plus DOB from now, could be used in some way?

 

[Be.au]

Good question… is any one company responsible for the collective risk through multiple data breaches?

Is the company that disclosed my driver licence three years ago now to be reprosecuted because my DL from then, plus DOB from now, could be used in some way?

Used for what? Assuming you had your driver licence replaced since then, you'll have a new card number so it won't pass any DVS checks, etc - your driver licence number on its own isn't much use without your card number.

 

[AustraliaPoochie]

DOB, address, mobile phone number, name, and what ever they can piece together from what ever sources.
Who knows, they might also have a credit card number somewhere, so, all one big huge hulabaloo if a scammer wanted to do max damage.