Millions of Qantas customers are being told how much of their personal data was taken by cyber criminals in last week's raid, leaving many reeling from the revelation. The airline has revealed that a staggering 5.7 million customer records were impacted when a third-party system used by an offshore call centre was hacked.
Of those, the names, email addresses, and frequent flyer details of four million customers were exposed to the world. However, for the remaining 1.7 million customers, their personal data was compromised even further, including their dates of birth, phone numbers, personal or business addresses, gender, and – in a surprising twist – meal preferences.
A total of 10,000 meal preferences fell prey to the cyber attack, leaving many Qantas customers wondering how much more of their personal info was exposed. The airline has assured customers that there is no evidence so far that any personal data stolen has been released on the dark web, but specialist cybersecurity experts are "actively" monitoring for breaches.
No financial information, credit card details, or passport details were stored in the system and therefore not accessed during the hack, Qantas maintained. However, frequent flyer accounts, passwords, PINS, and login details remain safe, according to the airline. "The data that was compromised is not enough to gain access to these frequent flyer accounts," the airline said.
The update comes a week after the cyber attack, which left Qantas customers stunned. It was later revealed that the offshore call centre had been scammed into giving a caller access to the third-party site. The hacker claiming responsibility for the theft of the data remains anonymous, but multiple cyber experts believe the group responsible is called Scattered Spider, a cabal of young cybercriminals living in the US and the UK.
The US Federal Bureau of Investigation recently warned that the group was targeting the airline sector by impersonating legitimate users to bypass multi-factor authentication and access systems. Qantas has set up more cybersecurity measures to protect customer data and continues to examine how the attack happened. "We remain in constant contact with the National Cyber Security Co-ordinator, Australian Cyber Security Centre, and the Australian Federal Police," said chief executive Vanessa Hudson.
Customers are urged to remain alert to emails, text messages or phone calls when the sender purports to be from Qantas. It's also recommended that customers deploy two-step authentication on accounts and don't provide account passwords, personal or financial information via an email, call, or text. The incident serves as a stark reminder of the importance of cybersecurity in today's digital age.
Security experts warn that scam attempts may skyrocket in the wake of the hack, similar to the rise in impersonation attacks when Optus was hacked in 2022, exposing 10 million customers' details. Legal experts suggest the incident could lead to a class action against Qantas, after compensation claims were made against Optus and Medibank following major breaches in 2022.