Frustration is mounting among Qantas customers after the revelation that their personal data, including names and addresses, has been exposed on the dark web. This breach affects 5.7 million customers and was made public over the weekend when the cybercrime collective known as Scattered Lapsus$ Hunters released the data after a ransom demand went unmet.
Ebe Ganon, a Qantas customer impacted by the breach, expressed her dissatisfaction with the airline’s communication efforts. “I still haven’t had any communication directly from Qantas about what’s happened, and that’s really frustrating as someone who often doesn’t have a lot of choice,” she told the ABC. Ganon noted the financial and emotional burden of having to pay for her own identity monitoring.
The breach occurred in July when cybercriminals manipulated a Qantas call center worker in the Philippines into providing access to customer information stored on the third-party platform Salesforce. As the fallout continues, speculation mounts regarding potential financial penalties Qantas may face under the Australian Privacy Act.
Legal and Financial Implications
The Office of the Australian Information Commissioner has not commented on whether Qantas will face fines for the breach. However, experts suggest that any penalties should be significant, especially in light of Qantas’s recent $1.6 billion full-year profit. Matt Warren, director at the Centre of Cyber Security at RMIT University, emphasized the importance of prioritizing security over profits.
“The key lesson is to prioritize security over trying to maximize profits for shareholders,” Warren told ABC News. “The onus is on Qantas to keep all of their customers updated.”
Warren further explained the complexity of the case, particularly if Qantas attempts to shift blame to Salesforce or argues that Australian laws do not apply. Michael Park, a lawyer specializing in technology and telecommunications, noted that the central question is whether Qantas breached Australian privacy principles.
“The threshold question will be whether Qantas has breached any of the Australian privacy principles under the privacy act,” Park said. “For example, if Qantas holds personal information, it must take such steps as are reasonable in the circumstances to protect that information from misuse, interference, and loss.”
Customer Concerns and Potential Scams
Dr. Warren highlighted the seriousness of the data breach, given the type of information exposed. “It is serious because it contains what is called personally identifiable information … like your name, your date of birth,” he explained. Such data can be exploited by scammers to deceive affected customers into revealing bank details under the guise of offering compensation.
Despite the gravity of the situation, Qantas has yet to address the media directly since the hackers followed through on their threat. In response to inquiries, a Qantas spokesperson referred to a statement on the airline’s website, noting that affected customers can access support from IDCARE on a case-by-case basis.
Looking Forward
The Qantas data breach underscores the growing threat of cybercrime and the need for robust security measures. As the airline navigates potential legal challenges and customer dissatisfaction, the incident serves as a stark reminder of the importance of safeguarding personal information in an increasingly digital world.
As the situation develops, customers and stakeholders alike will be watching closely to see how Qantas addresses the breach and works to restore trust. The airline’s response could set a precedent for how similar incidents are handled in the future, both in Australia and globally.
