Scammers could have a direct route to devising targeted scams for millions of Qantas customers in coming months as the airline reveals exactly what personal data was exposed in a major cyber attack.
Australia’s largest airline on Wednesday disclosed details of the 5.7 million customer records impacted when a third-party system used by an offshore call centre was hacked.
Of those, the names, email addresses and frequent flyer details of four million customers were exposed.
The remaining 1.7 million customers had more data taken, including their names, email addresses, dates of birth, phone numbers, personal or business addresses, gender and meal preferences.
In total, about 10,000 meal preferences were accessed.
A cybersecurity expert warned compromising such personal information was a “good starting point” for scammers to target individuals.
“I see this as stage one of the continuous Qantas situation,” RMIT University’s Matthew Warren told AAP.
Scam attempts would likely start with people impersonating Qantas staff in the weeks and months to come as criminals tried to gain financial or passport details, he said
But the attempts could become more targeted from there, including business invoice scams, especially if the information was distributed widely on the dark web.
Qantas maintains there is no evidence so far any stolen personal data has been released.
Professor Warren said it was only a matter of time before the hackers published the data but they would likely try to hold Qantas to ransom first.
“If the data is then sold on the dark net, you’re then going to get other groups spending a lot more time trawling through the data and trying to identify possible ways to undertake scams,” he said.
Qantas has begun individually notifying almost six million customers which of their specific personal details have been exposed in the attack.
The airline previously said a possible cybercriminal had contacted it about the hack, but would not confirm whether a ransom demand had been received.
Australian Federal Police investigators are also probing the breach.
Sydney-based customer Nick Allison received an email on Wednesday morning notifying him that his name, frequent flyer number and tier were exposed in the cyber raid.
Mr Allison, who was also embroiled in the 2022 Optus and 2023 Dymocks hacks, is worried about a rise in phishing attempts as a result of his data being exposed.
“Is it going to be every single email that I get sent for the rest of my life from Qantas? Is that a scam? Is that real?” he said.
“How am I going to know? They’ve got all that data.”
Mr Allison said he had lost some trust in Qantas in the wake of the hack.
“It makes me very hesitant to give Qantas more information in the future. Is it going to get lost?” he said.
As the scam risk grows, customers are being urged to remain alert to emails, text messages or phone calls if the sender purports to be from Qantas.
“Regularly review your compromised accounts and other linked accounts for unusual activity,” cybersecurity technology firm McAfee’s Tyler McGee said.
The identity of the group responsible for the attack remains a mystery, although multiple experts believe it is the work of Scattered Spider, a cabal of young cybercriminals living in the US and the UK.
Qantas said it had set up extra cybersecurity measures to protect customer data.
Source: AAP
