Australian airline passengers are on high alert after hackers leaked the personal information of up to 5.7 million Qantas customers.
Qantas confirmed on Sunday it was among several global companies that had data released by cyber criminals.
“With the help of specialist cyber security experts, we are investigating what data was part of the release,” a company spokesperson said.
The data was stolen in a cyber attack in early July from Qantas’ third-party platform provider Salesforce.
Records were stolen by Scattered LAPSUS$ Hunters from 39 major companies, including Qantas, Disney, Toyota and FedEx.
The group was holding customers’ data and threatened to release it at 3pm on Saturday AEDT unless Salesforce paid an undisclosed ransom, which it refused to do.
The Qantas data included full names, email addresses and Frequent Flyer details, as well as business and home addresses, dates of birth, phone numbers, gender and meal preferences for a smaller number of customers.
No credit card details, personal financial information or passport details were compromised, nor were passwords, PINs and login details for frequent flyer accounts.
Cybersecurity expert Troy Hunt from Have I Been Pwned said a fellow security researcher in another part of the world had verified his data, which included the names of his wife and son and frequent flyer balance.
The online security expert told AAP the hackers had released data for Qantas, Vietnam Airlines, GAP, Fujifilm and two other companies.
Qantas has obtained an injuction from the NSW Supreme Court to prevent the stolen data being accessed, viewed, released, used, transmitted or published by anyone.
It has offered a support line and specialist identity protection advice to affected customers.
The data was taken down on Saturday but was back up on the same hosting provider on Sunday morning, Mr Hunt said.
“It’s all over the place,” he said.
“There’s absolutely no putting the genie back in the bottle.”
He said all six files were publicly available through a file-sharing service, with the hackers putting up a new clear web address after the domain was pulled down by the FBI.
“It’s not just on the dark web, it’s all over the clear web,” he said.
Mr Hunt said the data could potentially be used for identity theft attacks as it gave hackers more points of verification.
While not overly concerned about his own personal information being leaked, he said Qantas would be “lawyered up” and wary of a possible class action suit.
Optus faced a similar breach in 2022, when more than 10 million customers’ details were compromised and a 2023 incident at Dymocks led more than one million people’s details to be shared on the dark web.
Mr Hunt said hackers have pivoted from ransomware to attacks on confidentiality, making it even harder for companies to manage extortion attempts.
“We’re now in a position where someone’s saying ‘send us money, we’ll delete all the data, honest promise’,” he said.
“So you can see it’s really not the same as the ransomware of old where you actually had some evidence.”
A Salesforce spokesperson said the company would “not engage, negotiate with, or pay any extortion demand”.
Australian Associated Press is the beating heart of Australian news. AAP is Australia’s only independent national newswire and has been delivering accurate, reliable and fast news content to the media industry, government and corporate sector for 85 years. We keep Australia informed.
