Qantas detected unusual activity on a “third-party platform” on Monday used by the airline’s contact centre in Manila. The data breach may have affected up to six million Qantas customers, making it one of the largest in Australian history.

The customer data incident was reportedly contained by Wednesday, and flight operations are running normally.

After alerting the public on Wednesday, more questions are surfacing about the risks faced by Qantas Frequent Flyer members. Qantas on Thursday confirmed that CEO Vanessa Hudson was travelling overseas but leading the crisis response remotely.

The breach occurred days after the FBI warned the aviation sector was being targeted by criminal group Scattered Spider. The multi-stage nature of cybercrime has prompted Qantas to warn customers of further impacts.

A review of the incident showed the stolen data included customer names, email addresses, phone numbers and birthdates. It also included frequent flyer numbers.

No credit card details, personal financial information or passport details were held on the hacked platform, the airline said. “No Frequent Flyer accounts were compromised, nor have passwords, PIN numbers and log-in details been accessed,” Qantas said.

Cyber experts say that the hacked frequent flyer numbers alongside customer names, email addresses, phone numbers, and birthdates would nevertheless make it easy for criminals to infer the log-on information needed to defraud customers.

Part of Scattered Spider’s strategy is to “steal sensitive data for extortion”, according to the FBI. The cybergang often deploys ransomware, which involves locking up sensitive data and threatening to delete or release it unless a ransom is paid.

Loading

If you are one of the six million customers affected by the breach, you will likely have received an email from Qantas. Many received it on Wednesday evening. Whether the data is further exploited for financial gain is a bit of a wait-and-see scenario.

Qantas said frequent flyers should remain “alert for unusual communications claiming to be from Qantas” such as “emails or calls asking for personal information or passwords”.

Such requests should be treated with suspicion. The airline would never contact members “requesting passwords, booking reference details or sensitive login information”. The airline has set up a dedicated webpage, along with a dedicated support line on 1800 971 541 or 2 8028 0534 for enquiries.

The criminal cybergang is suspected as being behind the breach. It is thought to be motivated by financial gain, and believed to be based in the US and UK.

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector,” the agency said on June 28.

Scattered Spider relies “on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access... They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”

While complete attribution takes time, Hawaiian Airlines and Canada-based WestJet are also suspected to be victims of Scattered Spider.

Macquarie University cybersecurity professor Dali Kaafar said: “Scattered Spider are known to be in this sophisticated social engineering tactics, often coincidentally also targeting help desks or call centre personnel to gain access to some corporate networks.

“Scattered Spider often combines some data exfiltration with possible ransomware threats, which I wouldn’t be surprised to see in the next few days.”

Qantas has not – at time of writing – received a ransom demand.

Loading

In the email to affected members, Hudson told customers: “I want to reassure our Qantas frequent flyers that there’s no requirement to reset your password or PIN.”

The company has urged frequent flyer members to use two-factor authentication on their accounts.

“The information released in the incident is not enough to gain access to frequent flyer accounts,” a Qantas spokesman said.

In addition to the two-factor authentication (2FA) or multifactor authentication (MFA) in place, “we have always strongly encouraged customers to set up and install an authenticator app for added account security”, the spokesman said.

Two-factor authentication was made default on frequent flyer accounts some time ago.

Not all members would have set up the 2FA.

Macquarie’s Kaafar said: “The idea that login details have not been compromised so it should be secure and safe, definitely doesn’t make sense to me.”

Research and empirical evidence shows that many members would actually be using some form of the birthday as a PIN number, he said.

The fact that the date of birth associated with frequent flyer members’ numbers are now “out there, compromised” and that the mobile app relies on only three main pieces of information makes the app “quite vulnerable to further compromise”.

The app requires a user’s surname, frequent flyer number and a PIN code. “So I think it just makes perfect sense, an immediate action to take, is to at least change that PIN code.”

Kaafar said the two-factor authentication also wouldn’t protect from overall phishing and scam vulnerabilities once the data was in the hands of criminals.

Chief technology officer at NordVPN Marijus Briedis urged customers to use a password manager app “to create unique, strong passwords for all your accounts”.

“Most importantly, be cautious of phishing attempts,” he said. Phishing, or sending emails that purport to be legitimate but are designed to dupe a recipient into revealing personal information, passwords and or credit card numbers.

“Cybercriminals often follow data breaches with targeted scam campaigns using the stolen information,” he said.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.