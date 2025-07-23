All we knew about the Qantas hack was what it told us. It was on a third-party platform. Qantas, likely due to legal and insurance considerations, has kept details of the hack confidential.

Three weeks after the Qantas hack, it directly and indirectly blamed its software providers — pointing to a third-party platform — while offering its customers little more than information about how to keep their digital identities safe. Oh, and there will be no compensation for your stolen data. Not good enough after Qantas does not get it: 6 million live under constant threat of ID theft and scams. Please use the link to register your class action.

Well, enterprising and respected anti-hackers have found:

The Qantas hack occurred in its Manila Call Centre

US-listed Concentrix runs that centre.

The call centre runs Qantas’s cloud-based software platform Genesys.

Its Frequent Flyer iFly database was on its CRM (customer relationship management) platform provided by US company Salesforce.

Qantas (allegedly) last checked the security of its Manilla call centre in 2019 (under different management).

CyberShack understands (and we are happy to be corrected) that an email scam link was sent to a call centre staff member who opened it, allowing fraudulent access to Qantas’ systems.

As recently as March, Salesforce warned its users that:

Social engineering tactics, including phishing and voice phishing (also known as vishing), are used to impersonate members of an IT Support team over the phone. They have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens or prompting users to navigate to the database login page to add a malicious connected app. In some cases, we have observed that the malicious connected app is a modified version of the Data Loader app published under a different name and/or branding. Once the threat actor gains access to a customer’s Salesforce account or adds a connected app, they use the connected app to exfiltrate data.

Access to Salesforce could have been disastrous, as it ties together ARD Web (Qantas’ legacy Amadeus booking and reservation system), which is accessed by tens or thousands of airlines, travel agencies, and online booking platforms.

The weak link was a call centre employee, either fooled by phishing or coerced to provide access.

Let’s examine the call centre regimen as designed by Alan Joyce to save ‘millions of money’.

All call centres are outsourced to various providers.

They are located in Cape Town (Bronze and Silver Levels), Fiji, Indonesia, Auckland, and Hobart (for Prestige Level members). There is a small office in Sydney for last-minute changes.

In 2022, Concentrix was appointed to address the inordinately long wait times and subpar service in Manila.

According to former Qantas staff (who obviously have no loyalty to Qantas, and we must take this as potentially correct)

These staff were put in a training room, given access to Qantas systems without being security cleared, and at that stage, all working from home and using their own dodgy internet services and Concentrix IT to access the QF IT systems. But offshoring brought with it other problems such as shorter and less rigorous training regimes and security checking, high staff turnover, and heightened security risks. Bringing contact centres back onshore would be an excellent opportunity for Vanessa Hudson to differentiate herself from Alan Joyce’s cost-cutting approach and create a positive brand story.

That won’t happen, as Qantas CEO Vanessa Hudson is tarred with the same brush as Alan Joyce. Cost-cutting is good for shareholders and bugger the customer.

Data security expert Spartan Security published “Lessons from the Qantas Data Breach: What’s Not Being Talked About,” squarely blaming Qantas’ cost-cutting and lack of supervisory care for the breach. It had not implemented zero-trust policies and did not care that workers were paid around US$5,000 a year to work from home in patently insecure environments. All it cared about was the tender process to get the best price.

Remind me of the famous Astronaut John Glenn quote:

“As I hurtled through space, one thought kept crossing my mind – every part of this rocket was supplied by the lowest bidder.”

