Qantas data leak: Scams 'second wave' to take off for 5.7 million customers, expert warns
Millions of Australians have been cautioned not to fall for bogus Qantas compensation claims after having their personal information leaked online.
The flying kangaroo was one of six global companies to have their data released at the weekend after hackers from Scattered LAPSUS$ Hunters made good on a ransom threat.
The leak stemmed from up to 5.7 million of Qantas’ customers having their data compromised in one of its offshore call centres that used Salesforce software.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.Details included full names, email addresses and Frequent Flyer details, as well as business and home addresses, dates of birth, phone numbers, gender and, in fewer cases, meal preferences.
The data could potentially be used for identity theft attacks as it gave hackers more points of verification, said cybersecurity expert Troy Hunt from Have I Been Pwned.
While not overly concerned about his own personal information being leaked, Mr Hunt said Qantas would be “lawyered up to their eyeballs”.
“Qantas has already spent millions and millions handling this and they will now have to face all the inevitable class actions and things that will follow,” he told AAP.
RMIT cyber security professor Matthew Warren said the data leak would lead to a “second wave of scams”.
“Other criminals are going to use that information pretending to be from Qantas trying to elicit additional personal information or trying to say ‘we are offering compensation please share your credit card details so we can transfer’,” he said.
“Most Qantas customers are Australians - you’re talking about a quarter of the population.”
Qantas has offered a support line and specialist identity protection advice to affected customers.
The airline also obtained an injunction from the NSW Supreme Court to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone.
But it did not cover international jurisdictions, with the stolen databases of Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies publicly available on and off the dark web on Sunday.
“The rates of cyber crime conviction are so low,” Prof Warren said.
“Cyber criminals don’t see any laws being a real deterrent against their activities.”
Compensation claims were made against Optus and Medibank following major data breaches in 2022.
A complaint over the Qantas data breach has already been lodged by Maurice Blackburn with the Office of the Australian Information Commissioner.
The law firm has alleged Qantas breached privacy laws by failing to adequately protect the personal information of its customers and said it would seek compensation on their behalf.
Prof Warren said the challenge to any class action would be that the data was not stolen in Australia and Qantas would likely argue the third party was responsible for protecting the data.
“It just becomes very complex. It isn’t a clear case,” he said.
“Many large corporations are so focused on maximising profit for shareholders that they make decisions that don’t necessarily put security as their first directive.”
The Federal Court on Wednesday ordered Australian Clinical Labs pay $5.8 million for a data breach of its Medlab Pathology business in February 2022.
The breach led to more than 223,000 people’s personal information being accessed and exfiltrated without authorisation.
