Qantas Hack Victims 'Disappointed, But Not Surprised' by Cyber Attack

Qantas Hack Victims 'Disappointed, But Not Surprised' by Cyber Attack

Last week's major cybersecurity breach at Qantas has left hundreds of thousands of customers feeling vulnerable, angry, and unsupported. The airline quietly confirmed on Monday night that it had been contacted by a potential cybercriminal less than a week after the data of up to 6 million customers was accessed in an online attack.

Qantas says it is still working to verify the legitimacy of the contact and has engaged the Australian Federal Police to investigate. However, the airline has yet to officially confirm the name of the group that has been able to access passenger names, email addresses, phone numbers, dates of birth, and Frequent Flyer numbers.

Cyber experts say that the type of data stolen in the Qantas attack could be very valuable to cybercriminals. "With this particular matter, the biggest risk coming out of this will not be access to Qantas data specifically, but moreover that those 6 million people will be targeted in related type scams," said Stan Gallo, Forensic Services partner with BDO Australia.

Customers are now questioning whether Qantas is doing enough to protect Australians' personal data. "I'm a pretty savvy person, and it still even took me a couple of minutes to sort of ask him enough questions to be satisfied that it wasn't a legit call," said Ebe Ganon, a Canberra-based disability advocate who received a scam call from someone pretending to be from Qantas Money.

Ganon's experience is not unique. Dozens of Qantas customers have contacted the ABC in the wake of the cyber attack to express their frustration with the airline. Some have since been targeted by scammers or received alerts from online accounts including the federal government portal myGov.

"They guessed five passwords before being locked out," said Jack Allison, an Adelaide-based customer who received an alert from myGov at 6:30pm – right about the time Qantas emailed him to confirm his personal data had been caught up in the breach. "Once they're inside myGov, they'd be able to access people's tax records, their medical history, it's not good."

Allison is disturbed by Qantas's offshore handling of sensitive data. "I deeply dislike that personal information is being handed across the globe without my knowledge and consent," he said.

Calls for a bigger stick to protect customer information are growing. Lawyers say current privacy laws offered limited paths to justice – and were badly in need of reform. "There is a process that they go through to determine whether you've experienced any harm and you can be awarded compensation," said Lizzie O'Shea, principal lawyer at Maurice Blackburn.

"One of the problems with that scheme is that the commissioner's office is overwhelmed by complaints of this nature," she added. "That means that instead of going to the commissioner, where the process can be slow, you have a direct right of action to go to court. That means you can sue companies that have mishandled your information and obtain compensation."

O'Shea said there was an urgent need to reform the Privacy Act. "Because at the moment companies can have these data breaches occur and there may not be a clear remedy or a pathway to getting the result for people who are harmed, and I think most Australians think that's not good enough," she said.

Until that happens, Qantas customers will continue to feel vulnerable. "So I think my expectations are low. I'm disappointed but not surprised," said Ebe Ganon.