‘It’s all over the place’: Qantas customer data leaked
Australian airline passengers are on high alert after hackers leaked the personal information of up to 5.7 million Qantas customers.
Qantas confirmed on Sunday it was among a number of global companies whose data was published by cybercriminals.
“With the help of specialized cybersecurity experts, we are investigating what data was part of the broadcast,” a company spokesperson said.
The data was stolen in a cyberattack from Qantas’ third-party platform provider Salesforce in early July.
Records were stolen by Scattered LAPSUS$ Hunters from 39 major companies, including Qantas, Disney, Toyota and FedEx.
The group was holding customers’ data and threatened to release it at 3pm AEDT on Saturday unless Salesforce paid an undisclosed ransom, which it refused to do.
The Qantas data included full names, email addresses and Frequent Flyer details of a smaller number of customers, as well as work and home addresses, dates of birth, phone numbers, gender and food preferences.
No credit card information, personal financial information or passport information was compromised, nor were passwords, PINs and logins for frequent flyer accounts compromised.
Cybersecurity expert Troy Hunt of Have I Been Pwned said a security researcher in another part of the world verified his data, which included the names of his wife and son and his frequent flyer balance.
Hackers published data belonging to Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies, the online security expert told AAP.
Qantas obtained an injunction from the Supreme Court of NSW to prevent the stolen data from being accessed, viewed, published, used, transmitted or published by anyone.
It offered a support line and expert identity protection advice to affected customers.
Mr Hunt said the data was removed on Saturday but was backed up to the same hosting provider on Sunday morning.
“It’s everywhere,” he said.
“There is absolutely no way to put the genie back in the bottle.”
He said all six files were publicly available through a file-sharing service, and after the domain name was seized by the FBI, the hackers created a new, clear web address.
“This exists not just on the dark web, but across the entire open web,” he said.
Mr Hunt said the data could potentially be used for identity theft attacks because it gave hackers more verification points.
While he wasn’t overly concerned about his personal information being leaked, he said Qantas would “lawyer up” and be wary of a potential class action lawsuit.
Optus faced a similar breach in 2022; Details of more than 10 million customers had been compromised, and an incident on Dymocks in 2023 led to details of more than a million people being shared on the dark web.
Mr Hunt said hackers were shifting from ransomware to privacy attacks, making it more difficult for companies to manage extortion attempts.
“We’re now in a situation where someone says ‘send us money, we’ll delete all the data, honest word,'” he said.
“So you can see that this is actually not the same as older ransomware for which there is some evidence.”
A Salesforce spokesperson said the company “will not engage, negotiate or pay any extortion claims.”
Australia’s Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national news channel and has been providing accurate, reliable and fast-paced news content to the media industry, government and corporate sector for 85 years. We inform Australia.
