All we knew about the Qantas hack was what it told us. It was on a third-party platform. Qantas, likely due to legal and insurance considerations, has kept details of the hack confidential.
Three weeks after the Qantas hack, it directly and indirectly blamed its software providers — pointing to a third-party platform — while offering its customers little more than information about how to keep their digital identities safe. Oh, and there will be no compensation for your stolen data. Not good enough after Qantas does not get it: 6 million live under constant threat of ID theft and scams. Please use the link to register your class action.
Well, enterprising and respected anti-hackers have found:
- The Qantas hack occurred in its Manila Call Centre
- US-listed Concentrix runs that centre.
- The call centre runs Qantas’s cloud-based software platform Genesys.
- Its Frequent Flyer iFly database was on its CRM (customer relationship management) platform provided by US company Salesforce.
- Qantas (allegedly) last checked the security of its Manilla call centre in 2019 (under different management).
CyberShack understands (and we are happy to be corrected) that an email scam link was sent to a call centre staff member who opened it, allowing fraudulent access to Qantas’ systems.
As recently as March, Salesforce warned its users that:
Social engineering tactics, including phishing and voice phishing (also known as vishing), are used to impersonate members of an IT Support team over the phone. They have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the database login page to add a malicious connected app. In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they use the connected app to exfiltrate data.
Access to Salesforce could have been disastrous, as it ties together ARD Web (Qantas’ legacy Amadeus booking and reservation system), which is accessed by tens or thousands of airlines, travel agencies, and online booking platforms.
The weak link was a call centre employee, either fooled by phishing or coerced to provide access.
Let’s examine the call centre regimen as designed by Alan Joyce to save ‘millions of money’.
- All call centres are outsourced to various providers.
- They are located in Cape Town (Bronze and Silver Levels), Fiji, Indonesia, Auckland, and Hobart (for Prestige Level members). There is a small office in Sydney for last-minute changes.
In 2022, Concentrix was appointed to address the inordinately long wait times and subpar service in Manila.
According to former Qantas staff (who obviously have no loyalty to Qantas, and we must take this as potentially correct)
These staff were put in a training room, given access to Qantas systems without being security cleared, and at that stage, all working from home and using their own dodgy internet services and Concentrix IT to access the QF IT systems.
But offshoring brought with it other problems such as shorter and less rigorous training regimes and security checking, high staff turnover, and heightened security risks.
Bringing contact centres back onshore would be an excellent opportunity for Vanessa Hudson to differentiate herself from Alan Joyce’s cost-cutting approach and create a positive brand story.
That won’t happen, as Qantas CEO Vanessa Hudson is tarred with the same brush as Alan Joyce. Cost-cutting is good for shareholders and bugger the customer.
Data security expert Spartan Security published “Lessons from the Qantas Data Breach: What’s Not Being Talked About,” squarely blaming Qantas’ cost-cutting and lack of supervisory care for the breach. It had not implemented zero-trust policies and did not care that workers were paid around US$5,000 a year to work from home in patently insecure environments. All it cared about was the tender process to get the best price.
Reminds me of the famous Astronaut John Glenn quote:
“As I hurtled through space, one thought kept crossing my mind – every part of this rocket was supplied by the lowest bidder.”
Qantas Hack, Qantas Hack,, Qantas Hack,, Qantas Hack, Qantas Hack, Qantas Hack,
7 comments
Kerri
Totally agree with ‘former Qantas staff’ that staff had very little training and were working from home. Following issues I had with a Qantas booking, I spoke to a customer service representative in Manila and I could hear chickens clucking in the background. Very unprofessional Qantas!
Russel
To Ray Shaw, many thanks for the invaluable advice on which Router to use for better NBN performance & Wifi connectivity. I did buy the TP Deco. I now have concerns linking my TP Deco to Netcomm CloudMesh NS-01, which my NBN provider recommended. Any suggestions welcome. Thank you Russel
Ray Shaw
Hi Russel. I presume you have FTTP or HFC, and if so, do not use the Netcomm Cloud mesh (not required); instead, connect the Deco directly to the Ethernet UNI-D1 ports. If you need more help contact me at [email protected] – Ray
bruce cadd
Hi Thanks for the information i had used my credit card to pay govt taxes and frequent flyer points Since then i have had a new card issued by ANZ and changed pin number according I hope this fixes my problem .I think Qantas arent doing enough for their loyal QFF members i have been a member since Jan 1999 points value is not good and always difficult to book on flights last may(2024) to use my points to go from Perth to Singapore i would have had to go via KL (qitete a long lay over)then back to Singapore and the same coming home gave up and paid and went with Singapore Airlines I know not all are able to afford this Qantas have lost the plot Thanks Bruce Cadd
Harold Robertson
QANTAS like other big multinationals contracts these services to low cost countries and then washes its hands of responsibility to its customers. Everyone should join the class action to teach not only QANTAS but all profit hungry corporations.
Natale Cutri
There needs to be tighter government regulation to protect and compensate us consumers, but this won’t happen as all sides of politics are compromised through their free entitlements to the Chairman’s Lounge.
Terry Vickers
I wonder how many more airlines operate on extreme cost cutting procedures. Very disappointing by Qantas.