Qantas does not get it: 6 million live under constant threat of ID theft and scams

Qantas does not get it. It deserves to be really punished for the 6 million poor souls that now live under the cloud of ID theft or being scammed.

It’s not about whether its IT systems are safe – it is about us, and that is why Flying Kangaroo needs its wings severely clipped. It caused the problem in hoovering up more information than was necessary for its frequent flyer program management. Frequent Flyer is nothing more than a loyalty program that makes considerable money from selling and swapping your data with other loyalty programs.

Maurice Blackburn Lawyers had lodged s representative complaint to the Office of the Australian Information Commissioner (OAIC) against Qantas for a breach of the Privacy Act 1988 (Cth). It alleges that Qantas breached privacy laws by failing to adequately protect the personal information of its customers.

The scale and sensitivity of the exposed data have raised serious concerns. Information compromised includes

• Customers’ full name
• Address
• Email address
• Phone number
• Date of birth
• Qantas Frequent Flyer numbers
• Membership tier
• Points balance
• Status credits
• Gender
• Meal preference.

Maurice Blackburn Principal Lawyer Elizabeth O’Shea said

“We’ve filed an official complaint with the Office of the Information Commissioner, which is the authority charged with taking action over breaches of the Privacy Act. While we await a response and potential action from the OAIC regarding Qantas’ failure to adequately protect the personal information of its customers, we encourage Qantas customers who were impacted by the breach to register with us to receive updates about the representative complaint and compensation that may be sought on your behalf.

Registration is free and non-binding here. It is worth registering if only to poke Qantas with a blunt stick.

But the penalties are a mere flea on the flying Kangaroos’ bum

For every A$1,000,000 gained, that is just $1.75 per person, which, after legal costs, might be half that.

Optus was only fined $1.5 million, and subsequent actions by the ACMA and one other class action may take years. The law is very vague here, and they must prove Qantas was negligent.

How much is your data really worth?

Demand for Australian data has skyrocketed as several major breaches have helped to complete dark web profiles on each of us. AI then sifts through the data and determines which targets are next – it is called ‘Fullz’ data.

• Canva: 137 million
• Latitude: 14 million
• Medisecure: 12.9 million eScripts and PII
• Optus: 9.8 million
• Medibank: 9.7 million
• University proctor U: 444,000 over nine universities
• ANU: 220,000
• Eastern Health: four hospitals
• Service NSW: 5 million documents and 104,000 personal records
• Melbourne Heart Group: 15,000
• Australian Parliament House: Multiple political party networks – Liberal, Labor, and the Nationals.
• Northern Territory Government: 4400 emails
• West Australian Parliament: Undisclosed
• United Australia Party and Trumpet of Patriots: Member data
• Fullerton Hotel Sydney: 148 gigabyte data breach, including passports
• Vroom by YouX: Thousands of driver’s licenses, bank documents, and PII for car finance
• Wendy Wu Tours: Passports and PII
• Volkswagen: 800,000 owners’ records

Dark web prices vary, but as a guide (BDO Australian Scan Culture Report)

• AU Passports: $1200
• AU Driver’s Licences: $1500

Older data from 2023 states

• Credit card: $100
• Gmail account: $60
• Airbnb: $300
• It is assumed that PII is included.

There is enormous value in ‘Fullz’

Fullz is a slang term for all the required data for ID Takeover (usually only requires three to five pieces of PII). It is priced at US$1,500 per record, with additional success fees on top. The data include a mix of (usually three):

• Drivers licence
• Medicare card
• Passport
• Credit card
• Physical bill with address – Read: Cybercriminals hire locals to spy on you
• Date of Birth
• Address
• Phone number

Some of the methods that cybercriminals use to generate funds with fullz sets include:

• Credit card fraud: Fraudulent transactions using a stolen credit card number or money via cash transfers.
• Loan fraud: Apply for loans with high interest and easy application terms, like online loans or payday loans.
• Identity fraud: Steal a person’s identity, then open bank accounts, apply for loans and credit cards, and obtain identification.
• Account takeovers: Access to sensitive personal or business-related information. The hacker can then make fraudulent transactions using an individual’s details or the details of the business.
• Medical identity fraud: Insurance fraud by making claims for treatments or medication the victim never received.
• Tax refund fraud: By impersonating tax authorities, a fraudster can fool a victim into giving up information that can then be used to file an illicit tax return.
• Buy now, pay later fraud: Make a fake account, then simply not pay for goods. The victim may find themselves liable for the item or may have their credit score negatively impacted.

A typical Fullz site above with a document providing full instructions for committing credit card fraud by purchasing stolen identities from online servers, connecting the credit cards to an app and making small test transactions before increasing amounts, with the goal of withdrawing between $120 to thousands of dollars depending on card security and internet connection used, while recommending using an LTE connection and funneling money through an unaware third party to conceal identity.

We have helped many carders with CC Fullz. We’ve been doing this for quite some time now, so most of the CC information we provide works. We also provide credit card images and or driver’s license scans (front and back) for online verification purposes.

But the real worth is what it may cost you

This kind of sums it up

JR

I am seeking legal advice regarding a serious matter involving unauthorised porting of my mobile number, identity theft, and a failure in duty of care by Optus.

On 03/06/2025, my Optus mobile number was fraudulently ported out without my consent. As a result, I lost access to my phone network, and several of my bank accounts and personal online accounts were compromised, including Westpac, ANZ, Google, and Amazon.

I attempted to resolve the issue with Optus but received no practical support, including from the Optus store, where I was refused help and asked to leave, despite remaining calm and clearly distressed. I have since filed complaints with the Telecommunications Industry Ombudsman (TIO)

LM

My details were exploited after the Optus data breaches. I’ve had endless problems accessing my bank accounts, online currency wallets, Google, and Social Media, as well as suffered fraudulent online purchases, including my shares and stocks.  I’ve lost phenomenal amounts.

CyberShack’s view: Qantas does not get it. Scamming has started.

Every night since the hack, I’ve received a different robocall to a number I use as a backup, and it is in very few databases, but it is in Qantas.

I am receiving about double the scam emails that I usually do. Two were from Qantas – not.

I have had two unknown attempted bank account accesses resulting in two lockouts that took me hours to get reversed.

Call it a coincidence or opportunistic scamming, as Qantas claims the data has not been released on the dark web, but others are reporting an uptick in scam activity.

The irony is that Qantas is OK, but its customers are not! Collectively, 6 million frequent flyers will experience significant pain or loss. I urge you to register with Blackburns.

CyberShack Qantas data breach news