Six million customer records at risk of data breach

ABC NEWS (Australia)

Qantas has suffered a cyber attack on one of its servers. The airline will only say a "significant" amount of customer data has likely been stolen. It has released a statement saying it had detected unusual activity on Monday on a third-party platform used by one of its contact centres. The service records of six million of its customers are stored on the platform.

Transcript

00:00What Qantas has said, and we understand, is that customer names, emails, phone numbers,

00:07birth dates, and frequent flyer numbers are at risk, but they've said that other things

00:12such as your passport details and financial information were not leaked, apparently.

00:19So now it's six million customers, so even though it may not be a whole lot of data,

00:24it's a whole lot of people.

00:25And obviously, it follows on from other major data breaches that we've seen, Medibank

00:31Private in 2022, prompting cyber resilience laws, including mandatory reporting of compliance

00:38and incidents.

00:38We've seen Optus, the data breach as well, other large-scale breaches.

00:43But Qantas has said, OK, the credit card details are not at risk.

00:48Nonetheless, with information such as your birth date and frequent flyer number and phone

00:53number, potentially people could be at risk from someone's social engineering access to

01:01their account and changing email account to an account that the attackers might be able

01:06to use.

01:07And in fact, interestingly, that is how it seems that this attack actually succeeded with

01:12a third-party service provider, sounds like it was a telecommunications centre, and a human-to-human

01:22phone call.

01:23The attacker was not phishing, as we normally expect to see emails in our inbox that are fraudulent,

01:30trying to manipulate us to give over personal information, but phishing, that is voice phishing.

01:36And the call centre operator, we believe, was then granting some sort of access to the system

01:44over the phone to the attackers, not realising that they were being social engineered, that

01:48is, manipulated to give information or access, you know, as a result of deception.

01:54We've heard today from cyber firm CyberCX, which has been working with Qantas.

02:00They say that this incident has the hallmarks of the scattered spider hacker group.

02:06What do we know about them?

02:08Look, we understand that they're a young group, but obviously it's quite difficult to know with

02:13attribution.

02:15So, I mean, there are laboratories of companies and universities that spend a lot of time when

02:21they're actually able to get software code from attacks, which I don't think is the case

02:27here, or at least not that I've heard, and they will analyse it looking for perhaps remnants

02:32or pieces of other code that was used in other attacks or signatures in the code that point

02:38to a particular hacking group.

02:40But the belief is that this group may have actually targeted Qantas because the FBI believes that

02:49there have been attacks on North American airlines in a similar timeframe.

02:53So, Canada's WestJet and Hawaiian Airlines have both recently suffered attacks.

03:01So, you know, attribution is difficult.

03:04Even sometimes when groups claim credit, they haven't necessarily done it.

03:08And so, you know, it can be a difficult thing to actually determine.

03:13A little bit more broadly, Sulit, why do Qantas and other major companies, you mentioned earlier,

03:19previous hacks, why do they keep our data like this and what do they do with it?

03:26Well, I mean, that's an interesting question, right?

03:28So, they might use it to actually study for selling us more products or more targeted products.

03:34And then they might be part of partnerships where, you know, their partners in a frequent flyer

03:40program are selling us, you know, deep fryers or pots and pans or free trips, you know, on airlines

03:49or free stays in hotels or discounted stays.

03:52So, there are lots of reasons why they want to gather this data and potentially share it with partners.

03:58But the problem is, and what we see that, you know, is the result kind of from this data breach

04:03which is, it really highlights how interconnected businesses are and that really the network

04:10of interconnected businesses are only as strong as the weakest link.

04:14And that is particularly that supply chains are a risk.

04:18So, all you need is, you know, you can have the best fortified banking or financial services

04:23or airline system in the world.

04:26But if your suppliers don't have great cybersecurity, then your systems are also at risk.

04:31Your customers may be at risk.

04:34And it does kind of raise the specter of, look, shouldn't consumers maybe have better protection

04:40in law to ask these companies to delete our data?

04:43So, when you finish being a Qantas frequent flyer and you want to move on either to another

04:48organization or not do it anymore, shouldn't you be able, with a click of a button, very easily

04:54to ask Qantas to remove all of your data and also perhaps have more rights to say, please

05:03don't unsell my data.

05:05I mean, yes, okay, there's fine print terms.

05:08Most people don't have time to read 20 pages of legalese.

05:12And furthermore, often these things are kind of forced permission in that you don't have

05:17the right to say no.

05:18You can't, you know, you can't say, I don't want this onsold.

05:22So, I think maybe some better consumer protection in terms of the right to exit your data when

05:28you want to would reduce the risk of exposure for consumers' data because there's not that

05:34much we can do to protect ourselves, our own personal data from this sort of data breach.

Category

Transcript

Recommended