Australian airline Qantas reveals data theft impacting six million customers Australian airline Qantas on Wednesday revealed it fell victim to a cyberattack that saw information describing six million customers stolen. “On Monday [June 30], we detected unusual activity on a third party platform used by a Qantas airline contact centre,” states a company announcement. “We then took immediate steps and …
"Odd how its always a "third party" platform. As if that makes it ok. We drop copied all your shit to someone else and it turned out they were a fuck-wit"
One would think that an enterprise as large as Qantas would have the dosh to handle their own data in-house. What advantage does outsourcing this stuff have at such a large scale? For a small company it does make sense to outsource some data handling to be able to spend budgets on the core of the business when the costs would be too high or timing is an issue. A long established firm in a well understood business should be working to keep their IP private. If they want to do analysis on the data they have, they can in-source the people they need on contract.
With many big companies, their data is there business. A food company may have tried and tested recipes that people like and need to keep those secret, but more important is their marketing data, customer lists, vendor lists, etc. Plenty of companies can put peas in a can. The value in the business IS the IP and that needs looking after, not sent out to anybody.
It's much easier to punt it an outsourcer who will cut their throat for a deal hoping to make it up on project work, variances etc.
Qantas don't have to carry any liabilities or headcount on their books and just pay a fee every month on a 3-5 year contract.
... I'm not sure this ranks as "news" anymore. It seems like anyone who holds our data has, is, or inevitably will utterly lose control of it or otherwise squander that data with no meaningful repercussions.
It's like people getting shot during a war, there's no way to avoid it and nattering on about it is just depressing.
Water is wet. War is terrible. The vaunted "tech industry" is a chaotic scam to turn personal and business data into gifts for criminals.
If we're not willing or able to change that, can we at least stop taking about it?
(Icon for this being enough to drive a person to drink...more, a lot more.)
There are various reasons, such as future marketing.
Safeguarding customer data might be their highest priority, but not as high as making an extra buck by spamming existing customers.
I guess the safety of their staff & customers, which is also their highest priority, is lower still.
Highest ain't what it used to be.
Irrespective of whether they keep it or not (and wrongs and wrongs of that), it's apparent that there's a total absence of any meaningful access controls. Time after bloody time, the crims are able to either exfiltrate vast amounts of data with not a soul noticing that a sizeable proportion of the total data stash is being copied across the network, or to delete or encrypt it.
In this day and age you'd have to be stupid to have any accounts with such blanket access, or a network monitoring system that can't spot exfiltration to unknown IPs....but then again, stupidity seems to be humanity's superpower.
Back in 2019, I flew on Qantas through a Singapore Airlines ticket.
I assume, that as it was a code share, it was also a legal datashare and my details ended up in the Qantas system.
I will also assume that my system ticket has me somewhere on rows 1 through 6m in the customer table
"The airline said the platform stored names, email addresses, phone numbers, birth dates and frequent flyer numbers for six million customers. Qantas did not use the system to store credit card details, personal financial information, or passport details.
Qantas suggests that attackers could not access all the six million exposed records, and analysis The Register offers as in a statement the airline wrote “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.” However an FAQ about the incident states “For those customers whose information has been potentially compromised, you will receive further communication from us.”"
So, name and birthdate is often enough to achieve identity fraud, and, to initiate credit fraud by obtaining funds, etc, borrowed in the victim's name, and, to use the fraudulent identity for things like traffic offences, etc.
The big question, is the degree to which QANTAS will indemnify its victims, for any and all consequential loss which may be attributed to the breach.
And, as QANTAS has made clear that it has no idea as to how many of its customers, are affected by the breach, then, surely, QANTAS must indemnify and compensate, everyone who has ever flown with QANTAS, including on codes share flights...
Of course, it comes to the question as to how much, the courts would et QANTAS get away with it, as the Australian courts, like the members of the legislatures, often encourage corporate crimes.
"So, name and birthdate is often enough to achieve identity fraud, and, to initiate credit fraud by obtaining funds, etc"
... and phone number, email address, etc. If I call/email somebody purporting to be from the airline and know a fair amount of their information including flight info, that could be used to tease out additional information that I might want. It might also be handy to know if somebody flies a lot and their home address. Especially if a person flies on a regular basis for work. There can already be a vast trove of data on somebody online already and knowing a bit more might give a scammer an angle that hasn't been tried before.
Airlines can have an enormous amount of data on their customers that they keep to more narrowly focus their marketing. All of that is also very useful to Big Data companies and doesn't need to include credit card numbers or passport data. The CC and PP information has been taught to be the most important thing to the average punter and just about every breech announcement will go to pains to assure people that those things haven't been handed out. What has been compromised might be even more valuable, but the smoke bomb has been deployed. Nothing to see here, move along.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
