Qantas Cyber Attack: Consumers at Mercy of Companies

A devastating cyber attack on Qantas has highlighted the vulnerability of consumers' personal data, leaving many wondering why New Zealand's privacy laws are so outdated and inadequate.

The breach, which compromised six million customers' details, is a stark reminder of the need for robust data protection measures. According to Consumer NZ chief executive Jon Duffy, "The problem with attacks of this nature is consumers have no agency or ability to protect themselves." He emphasized that companies collecting and holding consumer data must have robust systems in place to prevent such breaches.

Qantas has stated that a cyber criminal targeted a call centre and gained access to a third-party customer-servicing platform, exposing sensitive information including names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The attack had hallmarks of the Scattered Spider cyber crime group, which has targeted airlines.

A Flawed Privacy Regime

Duffy pointed out that New Zealand's privacy complaint system is a far cry from those in other jurisdictions like Europe. He noted that under the Australian Privacy Act, Qantas would likely face stiffer penalties than it would if it were a New Zealand company.

"In New Zealand, an individual who’s impacted by a privacy breach would have to complain to the Office of the Privacy Commissioner," Duffy said. "The Office of the Privacy Commissioner could then refer it to the Human Rights Review Tribunal, and the Human Rights Review Tribunal could assess that individual’s case and perhaps dole out a penalty... And so it's a much more time-consuming process."

Duffy also highlighted the outdated nature of New Zealand's Privacy Act. "The Act says someone should only collect information proportionate to what was needed," he said. "If you're asked for your name, address and date of birth... you should have a need for each of those data points, and the user should consent to providing that information on the basis that you’ve explained why you need it." Duffy emphasized that consumers currently have to complain and prove they have suffered harm in order to take action.

Consequences and Recommendations

Duffy stressed that Qantas customers are at risk of experiencing financial losses, such as canceling passports or credit cards. He advised customers to regularly update their passwords on accounts, especially if they use the same password across multiple accounts.

Patrick Sharp, Aura Information Security general manager, predicted that the stolen information would be sold multiple times in different chunks, used for scams and telemarketing purposes.

A Call to Action

The Qantas cyber attack highlights the need for more robust data protection measures and a comprehensive privacy regime. Consumer NZ is urging companies to prioritize consumer data protection and for policymakers to review and update New Zealand's outdated privacy laws.