QANTAS security breach-2 separate flights were cancelled without Authorisation by my ex-husband through his QFF Account on-line.

[Trudie22]

I would like to bring to the Frequent flyer communities attention, a recent event which occurred via QANTAS Frequent Flyer On-line platform.

My ex-husband had a seat booked on 2 flights I had booked through QANTAS. These flights were booked prior to our separation in August 2025.

His Frequent Flyer number was linked to his seat on these bookings which I owned & made & paid for.

He currently has a Temporary Protection Order on him, and I am awaiting a Permanent Domestic Violence Order verdict to be handed down through the court system next year.

I awoke on the 22/10/25, to receive an email from QANTAS informing me that my flight had been cancelled, and a refund was being processed. I immediately rang QANTAS about this security breach.

Do you think I could speak to an Australian customer service representative about this??? No way!!! I rung the 131313 number 6 times, and got outsourced to every other country but Australia. I am a Silver QFF member, however that means nothing because all calls go offshore now.

Eventually after insisting and patiently waiting on the phone….i was put through to a higher line manager to discuss this security breach with them, and attempt yo
have these bookings re-instated due to the security breach which had occured.

To my horror, I was accused by this manager of authorising my ex-husband to cancel 2 flights on-line, based on the fact that he had a seat booked in his name and his frequent flyer number was linked to this seat booking.

I pointed out the obvious security breach to this manager. QANTAS employees attend mandatory training to identify attempted security breaches and QANTAs have policies, procedures and protocols to prevent security breaches from occuring.

A person who is listed on a booking does not have authorisation to cancel or amend a booking. They must receive written authorisation from the person who made the booking and paid for it, only then
can they send the written authorisation to QANTAS send as evidence that the person
who is the owner of the booking has given consent to alter/and or cancel their seat on the booking made by the booking owner.

I was the owner of 2 bookings made through QANTAS. I paid for both bookings on my credit card. However, because he (my ex) had a seat allocated to him, he was able to go on-line, log into his QFF, and cancel both bookings in their entirety! There was NO security layers in place on line to prevent him from performing both of these actions. I was not alerted to either booking cancellation attempt being made by another ticket holder on my booking. He was given authorisation by QANTAS to cancel these bookings via their on-line platform, without my consent.

I did not receive a verification code to approve either booking cancellation from QANTAS, nor did I receive any 3 factor identification to confirm it was me who was conducting these cancellation requests on-line.

QANTAS flight ticket buyer beware!!!

If you put another person besides yourself on your booking, and quote their QFF number on the booking when you make it, they can access this booking on-line and cancel it!!!! No Authorisation required from you, the booking owner what so ever!

QANTAS have denied accountability for this security breach. They continue to attempt to shift the blame onto me for putting him on the booking.

I have complained to no end to QANTAS regarding this security breach, and they still will
not accept the fact that their on-line platform does not have security layers in place to protect your booking and ticket purchase. My ex conducted an act of identity theft and fraud when he cancelled 2 bookings I owned.

QANTAS have a lot to answer for, as I know for a fact that if you call QANTAS on 131313, and request a person be removed from your booking, that QANTAS instruct you to provide written authorisation from the seat holder to release them from your booking reference number made by you.

So….if your a listed passenger on another persons booking….& you want to cancel their booking out of retaliation and spite, just go on-line, log into your QFF account and cancel it! Easy as! no questions asked! no security checks! no verification code sent to the person who owns the booking itself! No security layers or safeguards whatsoever.

QANTAS have a gross lack of on-line security measures, and this is absolutely disgusting. In this day and age, every on-line platform has at the very least a verification process for transactions and booking amendments/cancellation requests.

QANTAS stole 12,000 points from me as a “refund fee”, and refuse to give them back. QANTAS facilitates security breaches via their own on-line QFF platform, take no responsibility or accountability for it, and steal your points after your ex had cancels flights bookings that you own.

The only way you can protect your booking from identity theft is to have yourself listed as the passenger on the booking made only. If you put anyone else on, and quote their QFF account number on the booking, then you (according to QANTAS) are authorising them via implied consent to cancel your booking at any time.

 

[Aeryn]

Not excusing Qantas in anyway but needing only surname and PR to view/cancel a booking is pretty typical of all airlines and I am trying to better understand the impact.

If understand you had 2 reward flights booked for two passengers (you + him) and he was able to cancel just his seats and yours remain intact?

If he is violent I imagine you woudnt want to fly with him anyway, so would you not have planned to cancel his seats anyway? Meaning you still would have been charged the 6k points / flight cancellation fee anyway?

Any points above this would have been refunded to you since you paid for the flight (although if was a cheap domestic might not have been any extra points to refund). But they are legally obliged to refund cash taxes/fess if the person doesnt fly.

Im not sure you can change the passenger on a reward booking, but if you could it would also likely incur a 5-6k points fee per flight.

To my knowledge the refund goes back to the card/account that paid for the flight so I dont think he would have got any of your points or $.

If he also cancelled your set then that is a bigger problem/inconvenience. for you. You could ask for them to reinstate your seat and waive the fee for that.

 

[MEL_Traveller]

Not excusing Qantas in anyway but I am trying to better understand impact.

If understand you had 2 reward flights booked for two passengers (you + him) and he was able to cancel just his seats and yours remain intact?

If he is violent I imagine you woudnt want to fly with him anyway, so would you not have planned to cancel his seats anyway? Meaning you still would have been charged the 6k points / flight cancellation fee anyway?

Any points above this would have been refunded to you since you paid for the flight (although if was a cheap domestic might not have been any extra points to refund). But they are legally obliged to refund cash taxes/fess if the person doesnt fly.

Im not sure you can change the passenger on a reward booking, but if you could it would also likely incur a 5-6k points fee per flight.

To my knowledge the refund goes back to the card/account that paid for the flight so I dont think he would have got any of your points or $.

If he also cancelled your set then that is a bigger problem.

I’m pretty sure that’s what the OP is saying, all bookings were cancelled by the ex partner. The OP is likely still wanting to fly.

It may not necessarily have been a malicious act by the ex to cancel both bookings. The booking should have first been split, and then he cancelled his. He may not have know how to do that, and so cancelled both. On the other hand, it may have been malicious, designed to cause maximum impact and inconvenience.

I’m not sure there’s been a security breach here per se. It’s a weakness in most airline booking systems… if you have a surname and booking reference you can cause all sorts of mischief.

 

[drron]

Sorry your predicament. Sounds like you are well rid of him. As QF seems unable to understand your situation I think it’s time to take a legal move Something like a Chamber Magistrate or whatever free legal advice services near you. Ask if you can take QF to the small debt tribunal in your state.
Maybe contact the Airline Ombudsman as well.
I would suggest you contact QF one more time and calmly tell them that you are now seeking legal advice and considering the small debt tribunal.
I realise that this situation has obviously distressed you but try hard when talking to QF to remain calm. Note the time of the call and towards the end ask which call centre it is then a name of the person you are talking to. They are likely not to tell you but as soon as the call is finished write down everything you remember of the call.
Wish you all the best through these difficult times.

 

[muppet]

The booking number and surname is essentially the booking and its password, once in anyone can cancel the flight. That’s how it works.

I would advise anyone with a booking that involves a party they do not trust to have the booking split - you don’t need written authorisation for this - that way the other party cannot interfere with your booking.

 

[MEL_Traveller]

The booking number and surname is essentially the booking and its password, once in anyone can cancel the flight. That’s how it works.

I would advise anyone with a booking that involves a party they do not trust to have the booking split - you don’t need written authorisation for this - that way the other party cannot interfere with your booking.

I was thinking about that too… but it may depend on how the PNR is split? If the partner still had the original booking reference, and the partner’s surname, they could still have cancelled that booking if that’s what they intended to do.

Only if the OP got the brand new PNR for themselves would that have prevented someone else from accessing the booking.

 

[muppet]

I was thinking about that too… but it may depend on how the PNR is split? If the partner still had the original booking reference, and the partner’s surname, they could still have cancelled that booking if that’s what they intended to do.

Only if the OP got the brand new PNR for themselves would that have prevented someone else from accessing the booking.

That’s true but at the very least your booking is no longer sitting in the Qantas App with theirs ready to be cancelled. That would be a much more deliberate act of mischief than just logging in and cancelling your own flight and also that of everyone else on the same booking.

 

[justinbrett]

I think pretty much every IATA airline works this way. There is no 2FA for managing bookings, a name and booking reference (PNR) is usually enough. In fact many times you can get all the info you need from a boarding pass - there are plenty of stories online of someone photographing their boarding pass which have enabled others to steal their information and/or mess with their booking.

If it was a true outsider who cancelled it I think QF would take responsibility, but as the person was known to you - in fact shared a booking with you - they’ve decided to go hands off.

 

[DAC1]

but it may depend on how the PNR is split? If the partner still had the original booking reference, and the partner’s surname, they could still have cancelled that booking if that’s what they intended to do.

When you split a booking on QF MMB, it gives you the option to decide who gets the existing PNR and who gets the new one.

There is no 2FA for managing bookings

Except QR who now do.

 

[oz_mark]

For most bookings, any passenger in the booking can cancel it.

 

[Princess Fiona]

I don’t think this is a security breach at all by QF.
Pretty much any booking on any airline can be modified, special meals chosen, seats selected, cancellations done by just using the booking reference and surname of a passenger on it.
Numerous examples on the internet of exactly this happening after people post their boarding passes on Socials.

I think any attempt by you to go legal here on QF will be futile and a distraction from what is clearly a very difficult time for you.

 

[Pushka]

That’s true but at the very least your booking is no longer sitting in the Qantas App with theirs ready to be cancelled. That would be a much more deliberate act of mischief than just logging in and cancelling your own flight and also that of everyone else on the same booking.

I think splitting it regardless of how its PNR is reallocated (there will be a new one generated with the split) removes this happening. They won’t remember the original.

I’m sorry to hear your issues and having a son go through similar, it’s just a coughty process. My go to statement to my son is ‘well this is why you aren’t married to them anymore”

Perhaps he didn’t realize that he was cancelling both by cancelling his? And agreeing with others this isn’t a Qantas issue.

 

[CaptJCool]

I had the situation of having split a booking (which I couldn’t do online) involving a friend whom I fell out with and myself that QF would NOT refund his ticket paid on my credit card without HIS Authorisation.
That was a difficult moment and at least he came to the party and gave QF that authorisation.

I can well imagine someone cancelling in spite given the circumstances. It’s all very well to give someone the benefit of the doubt - that said, probably splitting the tickets and cancelling only his was the least of the OP concerns even if it was the most practical solution.

Reinstating a cancelled reward ticket is probably the key issue here now going forward.

 

[DejaBrew]

Firstly, I'm very sorry to hear about your predicament @Trudie22 . As others have already suggested, this is - on the face of it, at least - an unfortunate reality in terms of how bookings can be managed and QF are not strictly on the hook here.

I can appreciate that this is an exceedingly frustrating scenario, however as one of the QF agents with whom I was speaking last night said, "...you can often catch more flies with honey than you can with vinegar." QF agents have the ability to make all sorts of things happen, so if you haven't already done so, I would be inclined to try and calmly explain the situation to an agent and see what can be done to assist you in this matter? If you go in "guns blazing" then they will understandably get very defensive and be less willing to assist you. In fact, their supervisors will likely fully support them refusing to engage further with you.

At the very least, I would be expecting that the points cost for the award seats would be refunded to you (minus any change/cancellation cost in points, although under the circumstances, you would likely have a good argument for getting that waived), and as has already been pointed out, you are entitled to a refund of cash taxes/fees. That would be the baseline acceptable outcome IMHO. From there, you may find that Qantas are willing to compromise given the specifics of your circumstances and as a good faith measure, reissue you your original reward booking(s).

I highly doubt you'll get this resolved in one call, and you will likely need to escalate. But if you can remain calm, stick to the facts of the situation and be clear about the minimum acceptable scenario and your entitlements if the bookings are indeed cancelled, then you'll at least have a baseline from which to work in trying to see this issue through to some form of acceptable resolution.

Best of luck