Scams ‘second wave’ to take off for 5.7m Qantas flyers
Millions of Australians have been warned not to fall for Qantas’ fake compensation claims after their personal information was leaked online.
Flying kangaroo was one of six global companies to release data over the weekend after Scattered LAPSUS$ Hunters hackers eliminated the ransom threat.
The leak stemmed from the data of nearly 5.7 million Qantas customers being compromised at one of its offshore call centers using Salesforce software.
Details included full names, email addresses and Frequent Flyer details, as well as work and home addresses, dates of birth, telephone numbers, gender and, in a smaller number of cases, food preferences.
Cybersecurity expert Troy Hunt of Have I Been Pwned said the data could potentially be used for identity theft attacks because it gives hackers more verification points.
Mr Hunt, who was not particularly concerned about his own personal information being leaked, said Qantas would “lawyer up to its teeth”.
“Qantas has already spent millions and millions of dollars trying to combat this situation and now they will have to face all the inevitable class action lawsuits and things that will follow,” he told AAP.
RMIT cybersecurity professor Matthew Warren said the data leak would lead to a “second wave” of fraud.
“Other criminals will use this information to obtain additional personal information by pretending to be from Qantas or try to say ‘we are offering compensation, please share your credit card details so we can pass them on’,” he said.
“The majority of Qantas customers are Australian; you’re talking about a quarter of the population.”
Qantas offered a support line and expert identity protection advice to affected customers.
The airline also obtained an injunction from the Supreme Court of NSW to prevent the stolen data from being accessed, viewed, released, used, transmitted or published by anyone.
But it did not cover international jurisdictions where stolen databases of Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies were publicly available on and off the dark web on Sunday.
“Conviction rates for cybercrime are very low,” Prof Warren said.
“Cybercriminals see no law as a real deterrent to their activities.”
Following major data breaches in 2022, compensation lawsuits were filed against Optus and Medibank.
Maurice Blackburn has already lodged a complaint with the Australian Information Commissioner’s Office regarding the Qantas data breach.
The law firm claimed Qantas had breached privacy laws by failing to adequately protect its customers’ personal information and said it would seek compensation on their behalf.
Prof Warren said the difficulty with any class action would be that the data had not been stolen in Australia and Qantas would likely argue that the third party was responsible for protecting the data.
“It gets very complicated. It’s not a straightforward situation,” he said.
“Many large companies are so focused on maximizing profits for their shareholders that they make decisions that do not make safety their first directive.”
Federal Court on Wednesday ordered Australian Clinical Laboratories paid $5.8 million for a data breach at its Medlab Pathology business in February 2022.
The breach led to the unauthorized access and theft of personal information of more than 223,000 people.
Australia’s Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national news channel and has been providing accurate, reliable and fast-paced news content to the media industry, government and corporate sector for 85 years. We inform Australia.
