Qantas cyberattack update: 5.7 million customers at risk as names, emails, addresses, phone numbers obtained

Qantas has revealed the scope of the cyberattack on a third-party call centre last week, and has confirmed that 5.7 million customers were affected.

After removing duplicate records, the airline’s cyber experts found 1.2 million customers’ details were limited to name, and email address, with another 2.8 million included those details plus the frequent flyer number, including tier.

A small subset had points balances and status credit details.

The remaining 1.7 million customers had far more details stolen in the attack, with the airline confirming that 1.3 million customers’ residential or businesses addresses were included in the data breach, although for some they were hotel addresses for lost luggage delivery.

Of the 1.7 million, 1.1 million had their date of birth, 900,000 had their phone number, and 400,000 their gender.

10,000 customers’ meal preferences were also exposed in the breach.

Qantas said it was progressively emailing affected customers to advise them of the types of personal data that had been stolen.

“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” Qantas Group chief executive Vanessa Hudson said.

“From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.”

The airline has warned customers to be alert to email, text messages or phone calls from persons purporting to be from Qantas, and to always independently verify the identity of the caller by contacting them through official Qantas channels.

Cybersecurity experts have also advised everyone should ensure they don’t use the same passwords across multiple logins, and activate two-factor authentication on all possible accounts.

On July 2, Qantas announced that a Manilla-based call centre was compromised in a so-called vishing attack, where cyber criminals pose as trusted entities to trick victims into releasing sensitive data such as login credentials.

The attack was similar to ones that affected customers of North America’s Hawaiian Airlines and WestJet in recent weeks and is believed to be perpetrated by a UK and USA-based cyber criminal group called Scattered Spider.

The group is a loose affiliate of mostly English speaking hackers who talk their way into accessing corporate computer systems, then on-sell the login information to outside cyber crimimals who then install ransomware and try to extort payment.

On Monday, Qantas said it has been contacted by the “potential cyber criminal” behind last week’s data breach.