Qantas Frequent Flyer data breach: The first of many more transport-specific attacks

Qantas Frequent Flyer data

The FBI has issued a warning that the Qantas Frequent Flyer data breach is the first of many more transport-specific attacks.

Six million Qantas Frequent Flyers had names, email addresses, phone numbers, birth dates, and Frequent Flyer numbers hacked.

Qantas issued a letter on 2 July (at the end of the article), but frankly, it’s the kind of PR pap we have come to expect from this once-great but now very shoddy airline.

It offers nothing to the ‘hackees’ (us), and its mea culpa is as weak as tepid tea, kind of a ‘we are OK’ and screw you. Qantas is there for shareholders, not the Spirit of Australia. How can they ‘confirm all Qantas systems remain secure’ when that is clearly not the case?

The FBI warning about the Qantas Frequent Flyer data breach is more chilling

The FBI says the stolen data is almost enough for identity theft, especially if it is added to your dark web profile. Date of Birth is often requested when telephoning a bank or utility provider. Phone numbers are used for SMS scams and SIM Swap – your smartphone is the weakest security link. Email addresses are used for phishing and spoofing.

The FBI has warned that this hack is seen as a success, boasting bragging rights, and states that the ransomware attack group, known for its attacks on the retail and insurance sectors, is shifting its focus to transportation and aviation in particular.

Why did the Qantas Frequent Flyer data breach happen? Qantas won’t admit anything

Qantas states that a cybercriminal accessed one of its call centres and gained access to a customer service platform.

The FBI analysts are now saying (and Qantas will neither deny nor confirm) that it was an inside job conducted within a call centre, either by a cybercriminal it had employed, a compromised employee or a cybercriminal impersonating an employee.

In any case, someone deliberately hacked the system from within, and that is how most major hacks occur. Qantas did not adequately vet its call centre supplier, its staff or its systems.

The FBI stated (paraphrased)

Scattered Spider is thought to be “a group of loosely affiliated individuals that collaborate and share their tradecraft in a forum called TheCom. These are young and globally distributed, but most often from Western countries. They are motivated by profit, but also by the desire to achieve a significant victory that impresses their peers. Most importantly, they target opportunistically. If they enjoy success against a target in any given industry, they’ll rinse and repeat against similar organisations. That appears to be what is happening with the Qantas attack.

Vanessa Hudson, CEO, said,

We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems. Our customers can be assured that we have the right expertise and resources dedicated to resolving this matter thoroughly and effectively.”

Was that flying pink Qantas jumbos I see?

CyberShack’s view: Sorry, the Qantas Frequent Flyer data breach is personal and affects the security of 6 million of us.

Let me tell you a long story, short. In the early 1980s, I had racked up over 1 million Ansett Flyer points because, well, it was a privately run airline (good old Sir Reg), and TAA (Try Another Airline and later Qantas) was government-run and one of the worst for reliability and service.

Ansett crashed due to typical two-airline airline skull duggery (underhanded or unscrupulous behaviour) from TAA and a resource-draining partnership with Air New Zealand.

In 1982, I purchased a Life Membership from Qantas, and I’ve had a love-hate relationship with it ever since. Mostly hate because Alan Joyce has ruined our national treasure. That was reflected in his hubris (unwarranted excessive pride and self-confidence), and that attitude pervaded the airline, right down to the hard-working, ever-smiling flight attendants and those poor baggage handlers who were unfairly sacked.

After some of the consistently worst long-haul business-class flights ever, I vowed not to fly Qantas again. Virgin gets my vote, and I’m happy to sit in the back and board like cattle because its staff love their work and company, and it’s not Qantas. Internationally. I won’t suffer Qantas’s poor service, running out of food and sad sack attendants because when I do complain, I get a paltry offer of a few Frequent Flyer points.

This airline is run for the benefit of its shareholders. There’s nothing wrong with making a profit, as any well-run company should (if only to stay in business); however, so far, Vanessa Hudson has done nothing to regain my confidence. She is beholden to a Board, her letter is poorly written and reflects that Qantas’ first mentality.

Qantas Letter 2 July 8.28 PM

Dear 
I’m writing to inform you that we believe your personal information was accessed during the cyber incident we recently experienced. I want to personally apologise that this has happened and explain what we know and how we’re supporting you.

What happened

A cyber criminal targeted one of our airline call centres and gained access to a customer servicing platform. On Monday, we detected unusual activity on a third-party platform used by a Qantas airline contact centre.  We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure.

Information that was accessed

Our initial investigations show the compromised data may include names, email addresses, phone numbers, birth dates and Frequent Flyer numbers.
 
Importantly, your credit card details, financial information, passport details, and Frequent Flyer passwords were not accessed. Your Qantas Points and account remain secure.

What we’re doing for you

Regular updates will be available on our dedicated webpage. We’ve also established a dedicated support line for affected customers on 1800 971 541 or +61 2 8028 0534, with access to specialist identity protection advice and resources through this team.

 
What you should do

We recommend:

  • Remaining alert for unusual communications claiming to be from Qantas
  • Being cautious of emails or calls asking for personal information or passwords

Remember, Qantas will never contact you requesting passwords, booking reference details or sensitive login information.
 
I want to reassure our Qantas Frequent Flyers that there’s no requirement to reset your password or pin. If you’re having trouble accessing your account, reset your password or call the Qantas Frequent Flyer Service Centre on 13 11 31 or +61 2 9433 2329.

Your travel

If you have upcoming travel, you can check your flight details through the Qantas App or website as normal.

Our commitment

We’re taking this incident extremely seriously and working with government agencies and independent cyber security experts. We’re implementing additional security measures to strengthen system monitoring and protection of your information as part of our response. If we identify new important information as we continue to investigate and respond to this incident, we will share it with our customers.
 
Again, we are deeply sorry this occurred and our focus is on doing all we can to support you.

Vanessa Hudson
CEO
Qantas Group

Qantas incident webpage

Brought to you by CyberShack.com.au

Comments

1 comment

Leave your comment