)
Qantas Airways (ASX: QAN) has been hit by a major cyber-security breach that has exposed the personal data of up to six million customers to the risk of being stolen.
The airline says the breach was detected yesterday at one of its contact centres, adding that the incident has now been contained with no impact on Qantas operations or safety for the airline.
While the full extent of the cyber-attack has yet to be determined, Qantas warns it is expected to be “significant”.
“We understand this will be concerning for customers,” says the airline. “We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available.”
The incident follows a recent warning by the US Federal Bureau of Investigation of a criminal organisation targeting the airline sector, according to Elliot Dellys, CEO of Australian cyber security company Phronesis Security.
He says the warning related to an organisation known as Scattered Spider, a “disparate group of young hackers living in the US and UK”.
“Scattered Spider had been targeting the airline sector, impersonating legitimate users to gain access to systems and bypass multi-factor authentication, one of the most effective methods of preventing breaches,” says Dellys.
“It would therefore be little surprise if the Australian aviation sector had come within its crosshairs, as a high value target with a complex, and historically challenging, environment to secure.”
Qantas says the incident occurred when a cyber-criminal targeted the call centre, gaining access to a third-party customer servicing platform.
“We then took immediate steps and contained the system,” says the company. “We can confirm all Qantas systems remain secure.”
Qantas notes that it keeps the service records of six million customers on the platform.
“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” the company says.
“An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
“Importantly, credit card details, personal financial information and passport details are not held in this system.”
Qantas says no frequent flyer accounts have been compromised, adding that passwords, PIN numbers and log-in details have not been accessed.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” says Qantas CEO Vanessa Hudson.
“Our customers trust us with their personal information and we take that responsibility seriously.
“We are contacting our customers today and our focus is on providing them with the necessary support.
“We are working closely with the federal government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
Qantas has also notified Australian Federal Police of the incident.
The company says that as it undertakes an investigation into the incident, it has put additional security measures in place to “further restrict access and strengthen system monitoring and detection”.
Qantas also has established a dedicated customer support line as well as a dedicated page on qantas.com to provide the latest information to customers.
The company has set up a dedicated support line on 1800 971 541 or (02) 8028 0534 for access to specialist identity protection advice and resources through its team.
“If customers have upcoming travel, there is nothing they need to do,” says the company.
“Customers can check their flight details at any time via the Qantas App or website.”
)
