QANTAS Cyber Incident

Vietnam airlines took all my personal details. No tier with them though. Just the usual details that ID me. I received an alert from Nord VPN that these details were on the dark web now. But not about Qantas but hey ho, Qantas banned Nord VPN from informing me.
 
This is a rant I have had with people, but can’t see in my history that I’ve ranted in this forum… if I have please berate me and I will delete. Start rant:

2 years ago I took 2 of my kids to NZ for Christmas… see Grandma, see Queenstown, kinda cool.

At online check-in on leaving MEL Qantas asked for passport numbers, DOBs, and full names as shown in passport… standard stuff they have to have.

A week later and we are checking in to leave Queenstown and Qantas ask for the same details again!!! I was furious as I had to do 3 people, and they had been given all this info already! The voice of reason, my eldest, suggested maybe they don’t want to hold that info in case they get hacked.

We are told that no passport numbers were stolen in the hack. Piss off a (petty) customer big time, but save millions of people being impacted. Plus I have a pretty smart kid (not inherited from me, I swear).
 
kookaburra75 said:
Hopefully this example may be used to set the level of any fine $29million - the amount of users' details is roughly the same at 6.6 million
www.bbc.com

Capita fined £14m for cyber-attack which affected millions

The outsourcing giant accepted liability, after the data watchdog said they failed to protect client data.
www.bbc.com www.bbc.com
Click to expand...
Yes, watch whatever happens with the Optus case - Australian Information Commissioner takes civil penalty action against Optus (plus the penalties have increased since then)


The Federal Court can impose a civil penalty of up to $2.22 million for each contravention. The Australian Information Commissioner alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with.
Click to expand...
 
When I log in to QF website, I need three things: Membership Number, Family Name and 4-digit PIN. The first two have been published to the world (data breach) so all that stands between me and the bad people is a 4-digit PIN.

They do have lockouts after failed attempts, etc, but there can be subsequent attempts, and the brute force method has plenty of memberships to try it on. Many people will be using a year of birth as their 4-digit PIN. So start with 19, then it is just a 2-digit PIN. It would have been simple to change to a 6-digit PIN, or even better a 6-character PIN, allowing letters and numbers. Yes, technically a password, but still short enough to be easily remembered, like a car's number plate. Qantas has apparently done nothing to improve the security of login.
 
Check out the latest credit card signup bonus point offers
Read our AFF credit card guides and start earning more points now.

AFF Supporters can remove this and all advertisements

KangaFlew said:
When I log in to QF website, I need three things: Membership Number, Family Name and 4-digit PIN. The first two have been published to the world (data breach) so all that stands between me and the bad people is a 4-digit PIN.

They do have lockouts after failed attempts, etc, but there can be subsequent attempts, and the brute force method has plenty of memberships to try it on. Many people will be using a year of birth as their 4-digit PIN. So start with 19, then it is just a 2-digit PIN. It would have been simple to change to a 6-digit PIN, or even better a 6-character PIN, allowing letters and numbers. Yes, technically a password, but still short enough to be easily remembered, like a car's number plate. Qantas has apparently done nothing to improve the security of login.
Click to expand...
If you have 2FA enabled (for example using an authenticator app), you normally have to go through that process if you log in from a 'new' device.
 
oz_mark said:
If you have 2FA enabled (for example using an authenticator app), you normally have to go through that process if you log in from a 'new' device.
Click to expand...
Which I thought is mandatory now? And has been for a while.
 
You are correct. 2FA (MS Authenticator for me). It has been a while since I used a new device so 2FA has not been required. I still think a slightly more complex PIN would be good, and perhaps a forced PIN reset following the breach would have been prudent. I'll get off that horse now.
 
KangaFlew said:
You are correct. 2FA (MS Authenticator for me). It has been a while since I used a new device so 2FA has not been required. I still think a slightly more complex PIN would be good, and perhaps a forced PIN reset following the breach would have been prudent. I'll get off that horse now.
Click to expand...
What has changed post breech is the log in timers are a lot shorter now and 2FA "recognised device" most certainly was reset as I had to go through that for all of my QFF stuff on all my devices again a few times for my common IPs as well.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

... and 45 more.
Total: 1,271 (members: 95, guests: 1,176)
Back
Top