Australia’s Qantas has been contacting customers about a data breach that appears to be tied to its loyalty rewards program. The airline says that a third-party contact center was compromised and at least some of its customers, potentially up to six million, are impacted.
The data breach comes mere days after an FBI warning that the Scattered Spider hacking group is now focusing on airlines and their various vendors and contractors, though there is not yet any strong evidence the group is involved with the contact center attack and the timing may be a coincidence. While it does not appear payment information or account credentials were leaked or that ransomware was involved, Qantas customers should be wary of inbound attempts to access their “frequent flyer” miles for gift card purchases.
Qantas contact center breach details remain limited
The component that is likely to generate the most discussion, the possible connection to Scattered Spider, is tenuous at best. So far, the only link is that the FBI has warned that they are targeting airlines and this is an airline. Attacking a third-party contact center would be an expected move for them, but it would also be for many other hackers. At the moment there is no other good evidence of the group’s involvement in the data breach.
Qantas has reassured customers that the contact center did not have access to payment information, personal identification or passport numbers, or account login credentials. But it did have each member of the frequent flyer program’s full name paired with their account number, birth date and email address. That is most of what an attacker needs to break into a rewards program account, save a PIN number that protects it. Needless to say, Qantas customers should ensure this PIN is set to something that has not been reused elsewhere (in the event it has surfaced in other data leaks) or that has a personal connection of some sort (like using part of a birth date).
Why would hackers want to break into Qantas rewards accounts? Purchasing gift cards is one of the options for using rewards points, and gift cards are a primary means by which threat actors transfer money internationally. The method is hard to trace and hard to “claw back” once someone realizes theft or fraud has been committed.
Data breach took place near the end of June, exact number of customers impacted still unknown
Qantas says that unusual activity was detected at the contact center on June 30, which quickly led to discovery of the data breach. It is possible that up to six million customer records were exposed, but the exact total remains unknown as Qantas reaches out to victims individually; the airline has only said that the amount of stolen data is “significant.”
The contact center attack extends a chain of major data breaches for Australian companies that now stretches back some years, and has prompted ongoing updating and revision of national law. This did not stop 2024 from being the most active year yet on record for data breaches in the country. Scattered Spider has targeted Australian companies during this period, but that does not provide any evidence of their involvement this time out.
Attacks on passenger carrier suppliers tend to be extra risky as there are many that serve multiple airlines and airports, creating the possibility of widespread outages should ransomware be successfully deployed. Though it is not yet at all clear that Scattered Spider is involved with this one, Google’s threat intelligence assessment of the group is worthwhile reading across the industry to prepare for both them and numerous similar attackers.
