Qantas could become the highest profile test of the Australian government’s new extortion reporting regime, as the airline says it has been contacted by a “potential cybercriminal” days after a “significant” data breach of a third-party contact centre.
The company has worked intensively with authorities since it shared news of the 30 June incident, in which it admitted the personal, non-financial data of at least six million people was stolen by cybercriminals.
Affected customers will be individually told this week exactly what data was compromised, Qantas said while revealing more than 5,000 customers contacted a dedicated enquiry line (1800 971 541) in the two days after its breach announcement.
Qantas has subsequently been contacted by a “potential cybercriminal”, its latest update revealed.
While the airline said it was “working to validate this”, it said it would not be sharing further details of that contact “as this is a criminal matter”.
“There is no evidence that any personal data stolen from Qantas has been released,” the update stated, “but with the support of specialist cybersecurity experts, we continue to actively monitor,” Qantas said.
The compromised data was “not enough for someone to gain unauthorised access to Frequent Flyer accounts”, the company added.
It said additional measures included requiring extra identification for account changes, and customers were being given access to identity protection advice and resources.
New ransom rules could mean new headaches
Revelations that Qantas has been contacted by alleged cybercriminals corroborated reports the breach’s perpetrator was Scattered Spider, a US-UK coalition which targets one industry at a time and was — authorities warned in late June — turning its sights to aviation.
Its modus operandi involves contacting IT support desks pretending to be an employee, then convincing staff to reset account passwords or update multi-factor authentication (MFA) details — something Qantas allegedly warned its staff about days before the attack.
Also known as Muddled Libra, Scattered Spider “stands at the intersection of devious social engineering and nimble technology adaptation… [and] presents a significant risk even to organisations with well-developed legacy cyber defences,” cybersecurity firm Unit 42 warned in May.
That risk could extend into reputational damage — Qantas is already Australia’s fifth least-trusted brand — and, potentially, legal repercussions such as a class action lawsuit.
Qantas says at least six million customers had their data stolen during a cyber breach of a contact centre. Image: Shutterstock
While Qantas has so far declined to confirm whether cybercriminals have demanded a ransom or extortion payment, it could find itself publicly pilloried if it ends up negotiating such a payment to stop the hackers releasing its customers’ stolen data.
Any such payment would put it among the first firms to report doing so under new mandatory ransom payment reporting laws which came into effect on 30 May.
The government said it would take an “education-first approach” in the first months of the legislation, which threatens penalties of $19,800 for relevant companies that fail to disclose payments or benefits “provided to the extorting entity”.
“Paying almost never guarantees a clean outcome,” said Trustwave global leader of cyber advisory Craig Searle, noting “in many high-profile incidents, payment has failed to prevent leaks or restore systems… [but] refusing to pay isn’t without consequence”.
Call centre outsourcing under fire
Qantas manages customers through third-party contact centres in Hobart, Auckland, Cape Town, Manila, and Suva — reflecting cost-cutting measures implemented by previous CEO Alan Joyce that have experts worried security has been spread too thin.
After admitting the cybercriminals were too “good” and “capable” for Qantas’s cyber defences, current CEO Vanessa Hudson denied its Manila site was a weak spot but said Qantas was now reconsidering whether storing customer data externally was appropriate.
“We are treating this incredibly seriously and have implemented additional security measures to further strengthen our systems,” she said in a statement on Friday.
Mark Holden, technical operations lead with Precision IT, said the Qantas breach showed “how attackers can exploit weaknesses in trusted third parties”.
He warned that “even if your internal systems follow best practice, you’re only as secure as your vendors”.
