‘Second wave’ of scams warning to Qantas flyers
Millions of Australians have been cautioned not to fall for bogus Qantas compensation claims after having their personal information leaked online.
The flying kangaroo was one of six global companies to have their data released at the weekend after hackers from Scattered LAPSUS$ Hunters followed through on a ransom threat.
The leak stemmed from up to 5.7 million of Qantas’ customers having their data compromised in one of its offshore call centres that used Salesforce software.
Details included full names, email addresses and frequent flyer details, as well as business and home addresses, dates of birth, phone numbers, gender and, in some cases, meal preferences.
The data could potentially be used for identity theft attacks as it gave hackers more points of verification, cybersecurity expert Troy Hunt from Have I Been Pwned said.
While not overly concerned about his own personal information being leaked, Hunt said Qantas would be “lawyered up to their eyeballs”.
“Qantas has already spent millions and millions handling this and they will now have to face all the inevitable class actions and things that will follow,” he said.
You might like
RMIT cyber security professor Matthew Warren said the data leak would lead to a “second wave of scams”.
“Other criminals are going to use that information pretending to be from Qantas trying to elicit additional personal information or trying to say ‘we are offering compensation please share your credit card details so we can transfer’,” he said.
“Most Qantas customers are Australians – you’re talking about a quarter of the population.”
Qantas has offered a support line and specialist identity protection advice to affected customers.
The airline also obtained an injunction from the NSW Supreme Court to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone.
But it did not cover international jurisdictions, with the stolen databases of Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies publicly available on and off the dark web on Sunday.
Stay informed, daily
“The rates of cyber crime conviction are so low,” Warren said.
“Cyber criminals don’t see any laws being a real deterrent against their activities.”
Compensation claims were made against Optus and Medibank following major data breaches in 2022.
A complaint over the Qantas data breach has already been lodged by law firm Maurice Blackburn with the Office of the Australian Information Commissioner.
It alleges Qantas breached privacy laws by failing to adequately protect the personal information of its customers and seeks compensation on their behalf.
Warren said the challenge to any class action would be that the data was not stolen in Australia. Qantas would likely argue the third party was responsible for protecting the data.
“It just becomes very complex. It isn’t a clear case,” he said.
“Many large corporations are so focused on maximising profit for shareholders that they make decisions that don’t necessarily put security as their first directive.”
The Federal Court last Wednesday ordered Australian Clinical Labs pay $5.8 million for a data breach of its Medlab Pathology business in February 2022.
The breach led to more than 223,000 people’s personal information being accessed and exfiltrated without authorisation.
-with AAP
