Qantas Frequent Flyer data breach: The first of many more transport-specific attacks

Qantas Frequent Flyer data

The FBI has issued a warning that the Qantas Frequent Flyer data breach is the first of many more transport-specific attacks.

Six million Qantas Frequent Flyers had names, email addresses, phone numbers, birth dates, and Frequent Flyer numbers hacked.

Qantas issued a letter on 2 July (at the end of the article), but frankly, it’s the kind of PR pap we have come to expect from this once-great but now very shoddy airline.

It offers nothing to the ‘hackees’ (us), and its mea culpa is as weak as tepid tea, kind of a ‘we are OK’ and screw you. Qantas is there for shareholders, not the Spirit of Australia. How can they ‘confirm all Qantas systems remain secure’ when that is clearly not the case?

The FBI warning about the Qantas Frequent Flyer data breach is more chilling

The FBI says the stolen data is almost enough for identity theft, especially if it is added to your dark web profile. Date of Birth is often requested when telephoning a bank or utility provider. Phone numbers are used for SMS scams and SIM Swap – your smartphone is the weakest security link. Email addresses are used for phishing and spoofing.

The FBI has warned that this hack is seen as a success, boasting bragging rights, and states that the ransomware attack group, known for its attacks on the retail and insurance sectors, is shifting its focus to transportation and aviation in particular.

Why did the Qantas Frequent Flyer data breach happen? Qantas won’t admit anything

Qantas states that a cybercriminal accessed one of its call centres and gained access to a customer service platform.

The FBI analysts are now saying (and Qantas will neither deny nor confirm) that it was an inside job conducted within a call centre, either by a cybercriminal it had employed, a compromised employee or a cybercriminal impersonating an employee.

In any case, someone deliberately hacked the system from within, and that is how most major hacks occur. Qantas did not adequately vet its call centre supplier, its staff or its systems.

The FBI stated (paraphrased)

Scattered Spider is thought to be “a group of loosely affiliated individuals that collaborate and share their tradecraft in a forum called TheCom. These are young and globally distributed, but most often from Western countries. They are motivated by profit, but also by the desire to achieve a significant victory that impresses their peers. Most importantly, they target opportunistically. If they enjoy success against a target in any given industry, they’ll rinse and repeat against similar organisations. That appears to be what is happening with the Qantas attack.

Vanessa Hudson, CEO, said,

We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems. Our customers can be assured that we have the right expertise and resources dedicated to resolving this matter thoroughly and effectively.”

Was that flying pink Qantas jumbos I see?

CyberShack’s view: Sorry, the Qantas Frequent Flyer data breach is personal and affects the security of 6 million of us.

Let me tell you a long story, short. In the early 1980s, I had racked up over 1 million Ansett Flyer points because, well, it was a privately run airline (good old Sir Reg), and TAA (Try Another Airline and later Qantas) was government-run and one of the worst for reliability and service.

Ansett crashed due to typical two-airline airline skull duggery (underhanded or unscrupulous behaviour) from TAA and a resource-draining partnership with Air New Zealand.

In 1982, I purchased a Life Membership from Qantas, and I’ve had a love-hate relationship with it ever since. Mostly hate because Alan Joyce has ruined our national treasure. That was reflected in his hubris (unwarranted excessive pride and self-confidence), and that attitude pervaded the airline, right down to the hard-working, ever-smiling flight attendants and those poor baggage handlers who were unfairly sacked.

After some of the consistently worst long-haul business-class flights ever, I vowed not to fly Qantas again. Virgin gets my vote, and I’m happy to sit in the back and board like cattle because its staff love their work and company, and it’s not Qantas. Internationally. I won’t suffer Qantas’s poor service, running out of food and sad sack attendants because when I do complain, I get a paltry offer of a few Frequent Flyer points.

This airline is run for the benefit of its shareholders. There’s nothing wrong with making a profit, as any well-run company should (if only to stay in business); however, so far, Vanessa Hudson has done nothing to regain my confidence. She is beholden to a Board, her letter is poorly written and reflects that Qantas’ first mentality.

Qantas Letter 2 July 8.28 PM

Dear 
I’m writing to inform you that we believe your personal information was accessed during the cyber incident we recently experienced. I want to personally apologise that this has happened and explain what we know and how we’re supporting you.

What happened

A cyber criminal targeted one of our airline call centres and gained access to a customer servicing platform. On Monday, we detected unusual activity on a third-party platform used by a Qantas airline contact centre.  We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure.

Information that was accessed

Our initial investigations show the compromised data may include names, email addresses, phone numbers, birth dates and Frequent Flyer numbers.
 
Importantly, your credit card details, financial information, passport details, and Frequent Flyer passwords were not accessed. Your Qantas Points and account remain secure.

What we’re doing for you

Regular updates will be available on our dedicated webpage. We’ve also established a dedicated support line for affected customers on 1800 971 541 or +61 2 8028 0534, with access to specialist identity protection advice and resources through this team.

 
What you should do

We recommend:

  • Remaining alert for unusual communications claiming to be from Qantas
  • Being cautious of emails or calls asking for personal information or passwords

Remember, Qantas will never contact you requesting passwords, booking reference details or sensitive login information.
 
I want to reassure our Qantas Frequent Flyers that there’s no requirement to reset your password or pin. If you’re having trouble accessing your account, reset your password or call the Qantas Frequent Flyer Service Centre on 13 11 31 or +61 2 9433 2329.

Your travel

If you have upcoming travel, you can check your flight details through the Qantas App or website as normal.

Our commitment

We’re taking this incident extremely seriously and working with government agencies and independent cyber security experts. We’re implementing additional security measures to strengthen system monitoring and protection of your information as part of our response. If we identify new important information as we continue to investigate and respond to this incident, we will share it with our customers.
 
Again, we are deeply sorry this occurred and our focus is on doing all we can to support you.

Vanessa Hudson
CEO
Qantas Group

Qantas incident webpage

Brought to you by CyberShack.com.au

Comments

9 comments

  • Gary McMillan

    Name the board members and have there Individual comments published.
    I am another unhappy member that paid to be a life member , what a disappointment Quantas are.

    • A
      Ray Shaw

      There is an old joke. Q: How do you make a small business? A: Start with a big one. Alan Joyce ripped the guts out of Qantas to please shareholders and receive mega pay packets and bonuses. The Flying Kangaroo started limping, but rusted-on, patriotic Aussies kept it going. I used to fly a lot (and I mean a lot!) and I can’t remember the last time I had an even mediocre flight. By contrast, when I use other carriers, the joy of flying returns. I don’t know the answer except that companies that focus on extraordinary shareholder returns usually fail in the long run. Interestingly, if Qantas listened to its pilots and staff, it would have all the answers it needs to regain Australians’ confidence.

  • TERRY WHITCHURCH

    I’M A UK CITIZEN, NOW LIVING IN AUSTRALIA. I’VE BEEN USING QANTAS FOR MY TRAVEL SINCE 1997. (AND I HAVE HAD ISSUES, IN THE PAST)
    I’M A PENSIONER, 89 THIS YEAR, CURRENTLY IN UK VISITING FAMILY & FRIENDS. MY RETURN TICKETS (QANTAS) FOR 02-08-25 WILL BE COMING UP SOON. I’M HOPING TO COME BACK IN 2026. WHAT DO YOU SUGGEST?
    COULD I ASK QANTAS FOR A REFUND (RETURN FARE) AND BOOK ANOTHER RETURN FLIGHT?
    I DON’T NEED THIS AT MY AGE. PLEASE ADVISE SOONEST.
    CHEERS,
    TERRY.

    • A
      Ray Shaw

      Hi Terry
      Unless you can get a guaranteed 100% refund from Qantas, you are stuck. I don’t think Qantas cares about one person, but if everyone else who has been screwed over or had poor service votes with their wallets, then Qantas may take notice. Having flown the Kangaroo route Qantas (business class) was appalling and we won’t use it again. Smirate, Qatar, Singapore Airlines, and Cathy are excellent.

  • More of a stuff up than a slip up as Qantas chose to describe it!
    Not good enough.

    • A
      Ray Shaw

      The damage is done, and Qantas needs to be held to account. At the very least, offer first-class round-the-world airfares 😁 and credit reporting, as well as dark web monitoring.

  • I agree.
    Most media (and Qantas) are ignoring the fact that this almost completes the required info for identity fraud, and if combined with Dark Web scraping using AI, it won’t be too long before this crime spikes.
    Whilst we can’t change our DOB, and it is a huge inconvenience to change our mobile, do you think changing our email address will help reduce this risk ?

    • A
      Ray Shaw

      Hi Ian
      I use a junk Gmail address for all online things, and I know that if I get an email to that address, it’s likely junk or a scam. I use another for all financial accounts and yet another for all personal emails. One thing I will never do is allow Apple or Google to store my passwords – that’s why I use LastPass. BTW, you can usually take off X years from your DOB for the junk addresses. But the damage is done and Qantas needs to be held to account. At the very least offer first class round the world airfares 😁 and credit reporting and dark web monitoring.

  • I appreciate you sharing this blog post. Thanks Again. Cool.

Leave your comment