There is no evidence that any personal data stolen from Qantas has been released as the carrier updates customers on their personal data that was compromised as a result of the cyber hack at one of its call centres last week.
Qantas said it has sought the support of specialist cyber security experts and will continue to actively monitor the dark web for leaked data.
Qantas has reconfirmed no credit card details, personal financial information or passport details were stored in the call centre system breach, believed to be in Manila, and therefore have not been accessed.
Qantas said there continues to be no impact to Qantas Frequent Flyer accounts and passwords, PINs and login details were not accessed or compromised. The data that was compromised is not enough to gain access to these frequent flyer accounts.
“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” Qantas Group CEO Vanessa Hudson said.
“From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.
“Since the incident, we have put in place a number of additional cyber security measures to further protect our customers data and are continuing to review what happened.
“We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police. I would like to thank the various agencies and the Federal Government for their continued support.”
The finer details
After removing duplicate records, its investigation found that there were 5.7 million unique customers’ data held in the system. Specific data fields vary from customer to customer, Qantas said in a statement.
The analysis of customers’ personal data has found (all numbers are approximate):
4 million customer records are limited to name, email address and Qantas Frequent Flyer details.
Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
Date of birth – 1.1 million
Phone number (mobile, landline and/or business) – 900,000
Gender – 400,000. This is separate to other gender identifiers like name and salutation.
Meal preferences – 10,000
Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts.
Advising customers of their personal data impacted
Qantas is progressively emailing affected customers to advise them of the types of their personal data that was contained in the impacted system and provide advice and support.
Customers can continue to access the dedicated support line on 1800 971 541 or +61 2 8028 0534. This service remains available 24/7 and customers have access to specialist identity protection advice and resources through this team.
Advice to customers
Qantas recommends that customers take the following general precautionary steps and remain vigilant to any misuse of their personal information:
- Remain alert, especially with email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas. Always independently verify the identity of the caller by contacting them on a number available through official channels;
- Where available, use two-step authentication – such as an authentication application – for personal email accounts and other online accounts;
- Stay informed on the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre’s Scamwatch webpage;
- Visit IDCARE’s Learning Centre and the Office of the Australian Information Commissioner website for further information and resources on protecting personal information; and
- Do not provide your online account passwords, or any personal or financial information. Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.
Customers who believe they have been targeted by scammers should report it to Scamwatch.
Heightened cybersecurity risks
A report from the US Cyberspace Solarium Commission 2.0 Project has highlighted the heightened cybersecurity risks facing the international aviation sector and argues the industry must address vulnerabilities stemming from ageing technology and outdated software, amid growing risks from sophisticated bad actors. In an op-ed published by Aviation Week, PA Consulting digital trust & cybersecurity experts Justin Lowe and PA Consulting aviation expert Carlos Ozores, argued that cyber hacks paired with the industry’s increasing reliance on interconnected technology systems, put commercial airlines, airports and US federal agencies are under increasing pressure to address their growing exposure to online threats.
Other recent cyber incidents include the targeting of airports around the world, most recently a ransomware cyberattack at Kuala Lumpur International Airport.
The European Union Aviation Safety Agency (EASA), which has responsibility for civil aviation safety in the European Union, reported an average of 1,000 cyberattacks per month on aviation systems worldwide. These attacks stem from low-skilled individuals and sophisticated nation-state actors, posing unique threats to airport systems and data.
Apart from frequent flyer data, other information stored in aviation can include baggage handling systems, passenger flow sensors, biometric immigration controls and security scanning.
