Qantas has confirmed that a serious cyber incident may have exposed the
personal details of up to six million customers, following a breach of a
third-party contact centre platform. The national carrier said it
detected “unusual activity” on Monday involving one of its offshore
service platforms, which is operated by a call centre based in Manila.
The airline said the breach has now been contained.
One of Australia's legal firms has taken Qantas to task over a massive data breach that has left millions of customers' private information in the hands of criminals who are also targeting Telstra.
A legal firm is investigating a potential class action against Qantas after hackers threatened to release private data from their customer database.
Names, numbers, emails, addresses, birthdays and frequent flyer numbers from 5.7 million Qantas customers are at risk of being publicised, unless software company Salesforce pays a ransom by Friday.
The hacker group, Scattered Lapsus$ Hunters, also claims to have the details of Telstra customers.
In an update on its ransom site on Thursday, the group threatened to leak 100GB of Telstra customers’ personal information.
Maurice Blackburn lawyers, Australia’s leading class actions law firm, has filed a complaint to the Office of the Australian Information Commissioner (AIC) against the airline for a breach of privacy.
If you have been impacted, here’s how you can get involved.
HOW DO I KNOW IF I’M AFFECTED?
Customers have been affected differently, but if you have been a Qantas passenger you may be at risk.
By now, all impacted customers should have received an email titled “confirmation of your details impacted by the cyber incident.”
The email explains exactly which of your details were accessed by the hacker and flags an update to the Qantas Frequent Flyer platform which will be available soon and allow customers to see the “types of data held on the compromised system.”
“Our customer records are based on unique email addresses, so if you have multiple email addresses registered with Qantas, you may have received a separate notification to different impacted email addresses,” Qantas said.
Make sure to check your spam or junk folder.
WHAT IS MAURICE BLACKBURN’S COMPLAINT ABOUT?
The data breach representative complaint have been made against Qantas because they claim the airline has breached the Privacy Act 1988.
This is a law the protects how personal data is handled by the government and by many private organisations.
Maurice Blackburn alleges that Qantas failed to adequately protect the personal information of its customers.
Complaining through a representative can allow a large number of the same complaint to be processed at the same time.
WHAT PERSONAL DATA WAS STOLEN?
A wide range of personal data was accessed by the hacker.
For four million customers, the data accessed is limited to their name, email address and Qantas Frequent Flyer details.
Of these four million, 1.2 million customers only had their name and email address accessed by the hacker and the remaining 2.8 million also had their Qantas Frequent Flyer number accessed.
Most of the customers whose frequent flyer number was accessed also had their tier and, in a lesser umber of cases, their points balance and status credits.
However for 1.7 million customers, the data hack was more substantial.
Of these customers, 1.3 million had their address revealed to the hacker – this includes business addresses and also the addresses of hotels customers may have stayed in which Qantas had records of for the purpose of reuniting them with misplaced baggage.
Around 1.1 million people had their date of birth accessed.
Approximately 900,000 customers had their phone numbers accessed, 400,000 had their gender revealed to the hacker and 10,000 the meal preferences they chose on flights.
No financial data was breached.
WHO CAN PARTICIPATE IN THE COMPLAINT?
If you have been notified by Qantas that your information is at risk, then you’re able to participate.
This includes former and current customers.
It doesn't cost any more upfront and if there is a successful outcome, the cost of the service paid to Maurice Blackburn for their legal service will be deducted by the payment affected customers are entitled to.
If it’s unsuccessful no money is owed to Maurice Blackburn.
HOW DO I PARTICIPATE?
For those keen to get involved in the class action, you need your name, number, email and address to register with Maurice Blackburn.
Even if you’ve already interested your interest with another law firm you can register with Maurice Blackburn to get updates about their investigation into potential compensation.
To sign up, you can to the Register now page on the Maurice Blackburn Lawyers site under Qantas Data Breach in the Join a class action section.
Alternatively, you can get in touch with the lawyers using qantasdatabreach@mauriceblackburn.com.au
QANTAS WAS CONTACTED BY THE HACKER – WHAT’S THE LATEST?
The bad actor responsible for the hack has contacted Qantas who have refused to comment further given the active criminal investigation.
Precedence, including the Optus and Medibank incidents, suggest it is unlikely Qantas will cave and pay the ransom demand of the hacker which have not been made public but could be in the many millions of dollars.
The hacker dated the potential release of the information as October 10.
ARE CUSTOMERS VULNERABLE TO SCAMS NOW?
Qantas has recommended customers take precautionary steps and maintain an increased level of vigilance in the wake of the cyber attack.
“Remain alert, especially through email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas,” an email to impacted customers reads. “Always independently verify the identity of the caller by contacting them on a number available through official channels.
“Do not provide your online account passwords, or any personal or financial information. “Qantas will never contact customers requesting passwords, booking reference details or sensitive login information.”
Source:supplied.