Qantas flyers claim passport, security information leaked during Flying Kangaroo’s app access debacle

Qantas is probing the depth of leaks in its mobile phone app debacle amid claims that users could wrongfully access information held under international security agreements.

Regular users of the Qantas app are claiming to have seen on Wednesday the nationality, passport number and birth date of other frequent flyers who had put this sensitive data into the airline’s Advanced Passenger Information system.

Qantas holds this information pursuant to a series of inter-government agreements to help border and police forces in signatory states to fight crime and terrorism while minimising interruption to passenger flow.

The airline and the Federal Office of the Australian Information Commissioner are remaining tight-lipped about the depth of other customers’ information exposed in the Qantas app debacle.

Both declined to comment on suspected leaks of material from the Advanced Passenger Information system visible on the Qantas app.

In a carefully-managed Facebook group for platinum-level Qantas frequent flyers, one regular contributor issued a warning to fellow regular travellers after claiming to have seen sensitive passport and birth date information of other users.

“This is very concerning, especially if you have upcoming international bookings,” he said.

The debacle involved Qantas app users seeing another person’s landing page containing their name, frequent flyer number, points and any boarding passes and flight bookings.

Security specialists warn that potential scammers had sufficient information to identify potential targets for frequent flyer points rorts with that available material.

Qantas has made a series of carefully crafted public statements on Wednesday and Thursday that narrowed the scope of assurances to frequent flyers.

In a Wednesday morning update, Qantas said some some frequent flyers were “able to see the travel information of other customers, including name, upcoming flight details, points balance and status”.

“No further personal or financial information was shared were shown and customers would not have been able to transfer or use the Qantas Points of other frequent flyers,” it said.

A Qantas update on Thursday morning did not repeat the assurances about personal information, but re-assured frequent flyers their financial information was not accessible and their points could not be transferred.

Regular users of Qantas chat sites were reporting by late Wednesday having clicked beyond the cover page of the airline’s app to the Advanced Passenger Information of international travellers.

A Perth businessman, who found an edited screen grab of his wife’s cover Qantas app on a Facebook page, said he was getting new passports for both of them ahead of overseas trips.

“I don’t want the risk of someone else knowing such sensitive stuff,” he said.

The Office of the Australian Information Commissioner said in a statement that it had been contacted by Qantas about Wednesday’s events, which it described “as a good reminder of the privacy risks to companies that use apps to manage their customers’ data”.

“Qantas needs to assess the incident as quickly as possible,” the agency said.

“If it’s a data breach that is likely to result in serious harm, they must notify the people affected and the OAIC as quickly as possible.”