QANTAS Cyber Incident

[Pushka]

Vietnam airlines took all my personal details. No tier with them though. Just the usual details that ID me. I received an alert from Nord VPN that these details were on the dark web now. But not about Qantas but hey ho, Qantas banned Nord VPN from informing me.

 

[TheCollecter]

This is a rant I have had with people, but can’t see in my history that I’ve ranted in this forum… if I have please berate me and I will delete. Start rant:

2 years ago I took 2 of my kids to NZ for Christmas… see Grandma, see Queenstown, kinda cool.

At online check-in on leaving MEL Qantas asked for passport numbers, DOBs, and full names as shown in passport… standard stuff they have to have.

A week later and we are checking in to leave Queenstown and Qantas ask for the same details again!!! I was furious as I had to do 3 people, and they had been given all this info already! The voice of reason, my eldest, suggested maybe they don’t want to hold that info in case they get hacked.

We are told that no passport numbers were stolen in the hack. Piss off a (petty) customer big time, but save millions of people being impacted. Plus I have a pretty smart kid (not inherited from me, I swear).

 

[kookaburra75]

Hopefully this example may be used to set the level of any fine $29million - the amount of users' details is roughly the same at 6.6 million

Capita fined £14m for cyber-attack which affected millions

The outsourcing giant accepted liability, after the data watchdog said they failed to protect client data.

www.bbc.com

 

[Be.au]

Hopefully this example may be used to set the level of any fine $29million - the amount of users' details is roughly the same at 6.6 million

Capita fined £14m for cyber-attack which affected millions

The outsourcing giant accepted liability, after the data watchdog said they failed to protect client data.

www.bbc.com

Yes, watch whatever happens with the Optus case - Australian Information Commissioner takes civil penalty action against Optus (plus the penalties have increased since then)

The Federal Court can impose a civil penalty of up to $2.22 million for each contravention. The Australian Information Commissioner alleges one contravention for each of the 9.5 million individuals whose privacy it alleges Optus seriously interfered with.

 

[KangaFlew]

When I log in to QF website, I need three things: Membership Number, Family Name and 4-digit PIN. The first two have been published to the world (data breach) so all that stands between me and the bad people is a 4-digit PIN.

They do have lockouts after failed attempts, etc, but there can be subsequent attempts, and the brute force method has plenty of memberships to try it on. Many people will be using a year of birth as their 4-digit PIN. So start with 19, then it is just a 2-digit PIN. It would have been simple to change to a 6-digit PIN, or even better a 6-character PIN, allowing letters and numbers. Yes, technically a password, but still short enough to be easily remembered, like a car's number plate. Qantas has apparently done nothing to improve the security of login.

 

[oz_mark]

When I log in to QF website, I need three things: Membership Number, Family Name and 4-digit PIN. The first two have been published to the world (data breach) so all that stands between me and the bad people is a 4-digit PIN.

They do have lockouts after failed attempts, etc, but there can be subsequent attempts, and the brute force method has plenty of memberships to try it on. Many people will be using a year of birth as their 4-digit PIN. So start with 19, then it is just a 2-digit PIN. It would have been simple to change to a 6-digit PIN, or even better a 6-character PIN, allowing letters and numbers. Yes, technically a password, but still short enough to be easily remembered, like a car's number plate. Qantas has apparently done nothing to improve the security of login.

If you have 2FA enabled (for example using an authenticator app), you normally have to go through that process if you log in from a 'new' device.

 

[SYD]

If you have 2FA enabled (for example using an authenticator app), you normally have to go through that process if you log in from a 'new' device.

Which I thought is mandatory now? And has been for a while.

 

[KangaFlew]

You are correct. 2FA (MS Authenticator for me). It has been a while since I used a new device so 2FA has not been required. I still think a slightly more complex PIN would be good, and perhaps a forced PIN reset following the breach would have been prudent. I'll get off that horse now.

 

[elanshin]

You are correct. 2FA (MS Authenticator for me). It has been a while since I used a new device so 2FA has not been required. I still think a slightly more complex PIN would be good, and perhaps a forced PIN reset following the breach would have been prudent. I'll get off that horse now.

What has changed post breech is the log in timers are a lot shorter now and 2FA "recognised device" most certainly was reset as I had to go through that for all of my QFF stuff on all my devices again a few times for my common IPs as well.

 

[claytw]

Over a year ago my internet provider announced they would stop supporting email addresses. Because I already had a separate Gmail account for travel, I used that as my primary address. My old account had also been compromised, so the change felt overdue.

Notifying 84 businesses and government departments was a major undertaking. While updating my contact details I changed every password, moved credentials into a password manager, and enabled two-factor authentication wherever possible. The process made me realise how resource-intensive it is to update contact details across many services.

To limit the impact of any future compromise, I created four additional email addresses and organised my accounts by category: banking, travel, government, and general use. If one address is breached I’ll only need to update a subset of services, which is far more manageable than repeating the 84-contact marathon. Because of the earlier breach I’ll be updating my Qantas account immediately. My name, date of birth, phone number, and frequent-flier number are not easily changed, so the email address is the primary variable I can control.

I keep all accounts accessible in Outlook as a single dashboard, so checking multiple inboxes isn’t onerous. A useful side benefit is that if I start receiving banking-related spam in my travel folder I’ll know to investigate promptly.

I don’t yet know how this will hold up long-term, but reducing the number of accounts I’d need to update from 80+ to around 20 already feels like a win.

 

[aspro2]

To limit the impact of any future compromise, I created four additional email addresses [...]

I keep all accounts accessible in Outlook as a single dashboard, so checking multiple inboxes isn’t onerous. A useful side benefit is that if I start receiving banking-related spam in my travel folder I’ll know to investigate promptly.

You could use Gmail's "plus addressing" or similar from other providers, but yes, as long as you can consolidate into one interface it is a good solution (and one I've used to identify two providers who had unidentified/undeclared breaches in the past).

 

[moa999]

You could use Gmail's "plus addressing" or similar from other providers, b

Works ok, other than for those that block + in email addresses.. and don't allow you to easily save passwords in browser or a password manager..

 

[Laptop Jockey]

Yes, watch whatever happens with the Optus case - Australian Information Commissioner takes civil penalty action against Optus (plus the penalties have increased since then)

A fine of that sort of magnitude is the only thing that is going to tighten up attitudes to not only security, but also alter the cost-benefit of the data collection 'side hustle' for businesses.

Personally I'm a proponent of introducing criminal liabilities in cases where negligence or recklessness can be argued. We do it for the financial industry (theoretically) and in this day and age not only can personal data be directly monetized, the adverse impact on innocent people is arguably even more direct.