Qantas hack: Aus intelligence agencies helping airline in data breach probe likely linked to Scattered Spider

Six million Qantas customers are at risk of having their personal information released onto the dark web as the airline confirmed that it had been the victim of a major cyber attack.

A Manilla-based call centre used by Qantas was compromised in a so-called vishing attack, where cybercriminals pose as trusted entities to trick victims into releasing sensitive data such as login credentials.

Qantas said it detected unusual activity on a the third party platform used by its airline contact centre on Monday, and took immediate steps to contain the platform, but confirmed customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers had been stolen.

Fortunately, Qantas says, credit card details, personal financial information and passport details are not held on that system. Nor were frequent flyer accounts, passwords and PIN numbers.

The company said there was no impact to operations or the safety of the airline.

Qantas said it was investigating the attack and has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The Australian Federal Police had also been notified.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously,” Qantas chief executive Vanessa Hudson said.

“We are contacting our customers today and our focus is on providing them with the necessary support.”

Minister for Home Affairs and Cyber Security Tony Burke said the Governments National Cyber Security Coordinator and the Australian Signals Directorate are working closely with Qantas and he also confirmed that the airline was fully cooperating with Government agencies.

“We’ve worked through the different communication they’re giving to people. I’ve been checking that they’ve been keeping closely engaged with both the Signals Directorate and the Cybersecurity Coordinator, and they have been, and they’ve been giving access, and doing whatever’s asked,” Mr Burke told the ABC.

“The stage that we’re at right now is making sure that a vulnerability was exposed isn’t enlarged.”

Mr Burke warned customers to be on the lookout for any suspicious communication from Qantas.

“Because emails and phone numbers have been compromised, if anyone gets a cold call from Qantas, hang up. If you’re going to talk to Qantas on the phone, use the published number and you make the call.

“If you get an email that is asking you to click through on a link in any way, don’t respond to it. The only way to deal with them digitally is to work through the Qantas app. The nature of these criminals is, once they’ve got the information, they either sell it, or they use it, or they try to ransom it, so people just need to be on guard that whenever you get these cold calls, hang up call the numbers that you know.”

Qantas frequent flyers were also warned to ensure their four digit pin used to login to the company’s website should be updated immediately if it consisted of common pin numbers like 1111, or 1234.

Matt Warren, Director of the RMIT University Centre for Cyber Security Research & Innovation at RMIT University said the data would likely be on-sold to other criminal gangs who would use the information to try to hack into other accounts or commit identify fraud.

He said it was critical that people not only esnured they had unique passwords for each service they log in to, but also activate multi-factor authentication, which requires users to verify their identity using two or more different factors, such as a password and a code sent to their phone.

Third parties a weak link

Qantas said while investigations were ongoing it could not confirm whether Manila-based call centre was the same provider that was the victim of a similar attack that affected customers of North America’s Hawaiian Airlines and WestJet in the last two weeks.

According to the US Federal Bureau of Investigation the perpetrator was likely to be the UK and USA-based cybercriminal group Scattered Spider. The group is a loose affiliate of mostly English speaking hackers who talk their way into accessing corporate computer systems, then onsell the login information to outside cybercrimimals who then install ransomware and try to extort payment.

On 28 June, the FBI warned the gang was targeting the airline sector.

“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk. Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware,” the FBI wrote on X.

“They use social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access.”

While details had not been released Mr Warren said third party providers were a particularly attractive entrance point for cybercriminals.

“There has been problems of security in call centres before, where insiders have taken data and sold it on for financial gain. That’s the problem of the insider threat, you don’t actually have to breach the security mechanisms of a company. You just have to compromise one person who is able to access that information,” he said.

Mr Warren said many Australian companies who have outsourced parts of their operations to third parties would be looking to their processes.

Amid rising customer concerns, firms “review all of their relationships with third party organisations in terms of ensuring that they have appropriate security.”

Mr Burke said companies would not be able to pass the buck on cybersecurity to the outsourced company.

“I’ve said this to Qantas. I’ve said this to all the businesses outsourcing. You can’t outsource your cybersecurity obligations when you start using third party companies.”