Qantas says 5.7 million affected by breach, leaked info not enough to access frequent flyer accounts

Australian airline Qantas provided a breakdown of the data stolen during a cyberattack announced last week, saying that a limited amount of frequent-flyer information was exposed. 

In an updated advisory on Wednesday afternoon, the company said the data of 5.7 million people was exposed last week when hackers breached a Qantas contact center.

Of the total, 2.8 million customers had names, email addresses and Qantas Frequent Flyer numbers leaked. At least 1.7 million other customers had some combination of that information and either home addresses, dates of birth, phone numbers, meal preferences or genders exposed. 

No credit cards or passport details were leaked, the advisory said. The information stolen is not enough to breach Qantas Frequent Flyer accounts, the company added. 

Qantas Group CEO Vanessa Hudson said the company is in contact with Australia’s national cyber and police agencies as it conducts its forensic investigation into the incident. 

The company said on June 30 that hackers breached a Qantas contact center containing 6 million customer service records. Since the attack, Qantas officials have faced backlash in Australia for providing confusing answers on the state of the incident. 

On July 4, the company released a blog saying a “potential cyber criminal has made contact, and we are currently working to validate this.” The company later deleted that line and added a new sentence that said it had “not been contacted by anyone claiming to have the data.”

Qantas declined to answer questions from Recorded Future News about whether it has been contacted by the hackers who breached the call center or whether a ransom was demanded. 

Hudson spoke to Australian news outlet ABC’s The Business on Wednesday and said they “have confirmed that we have received contact from somebody purporting to be the criminal actor in this instance.” 

“But what we are also saying is this is the subject of a criminal investigation and the AFP are leading that, and we are not going to make any more comments about that,” she added, declining to clarify whether the company had ever received a ransom request. 

Incident response continues

In a statement, Hudson said Qantas is beginning to notify customers through email of what specific personal data was held on the compromised system. The emails also warn customers that Qantas is aware of reports of scammers impersonating the company. 

Victims need to ensure that all emails end in “.qantas.com.”

In last Friday’s update, the company said the hackers had been fully expelled from the breached system. 

The attack on Qantas occurred as cybersecurity experts and federal law enforcement agencies warned of a campaign targeting the airline industry by members of the Scattered Spider cybercriminal group. 

Qantas has not confirmed that Scattered Spider is involved but both Hawaiian Airlines and WestJet were allegedly attacked by the group over the last month. 

The FBI said it recently observed Scattered Spider achieving access into company systems by “impersonating employees or contractors to deceive IT help desks into granting access.” 

The group is well-known for targeting the kind of contact centers mentioned in Qantas’ statements. After a lull in activity following major ransomware attacks on MGM Casino and Caesars Entertainment, the group resurfaced over the last six months — targeting the retail and insurance industries before pivoting again to aviation. 

Large companies like Victoria’s Secret, Aflac, Marks & Spencer and Adidas have dealt with attacks over the last three months.