The number of scams is expected to rise after the personal information of millions of Qantas customers was leaked on the dark web by international hackers.
A hacker collective called Scattered Lapsus$ Hunters released the stolen records from more than 40 companies worldwide, including Qantas, on Saturday after their deadline for ransom payment passed.
Here’s what you need to know about the data breach.
What Qantas data has been leaked?
Customer names, email addresses, and frequent flyer numbers for over 5 million customers were among the data leaked, Qantas said.
The amount of individual data obtained varies between customers. Some customer records included home and business addresses, dates of birth, phone numbers, gender and even meal preferences.
Sign up: AU Breaking News email
Federal politicians were among those whose home addresses were leaked, the national cyber security coordinator has said. Qantas said it had emailed affected customers to advise which types of their information was impacted.
No identity documents, credit cards or financial details were leaked, nor were any passwords or pin numbers, and hackers have not gained access to Frequent Flyer accounts, the airline said.
Will scammers access the Qantas data leak?
Qantas has sought and received an injunction from the NSW Supreme Court, which prevents the stolen data being accessed, viewed, released, used, transmitted or published.
It is illegal to access the the stolen data, according to Tony Burke, the minister for cybersecurity.
“No-one should go looking for it on the dark web … even if you’re looking for your own material,” he told ABC News Breakfast.
However, the government expects scammers will illegally use the data and carry out an increased number of scams to extract information from customers. Reports of scammers impersonating Qantas are already on the rise, the airline said.
What should customers do?
Customers should hang up on cold calls from people claiming to represent legitimate businesses, with the Australian government encouraging people to contact the business themselves.
Cold callers could use the personal information to trick people into believing they are representatives of real businesses, the government warned.
“If you’re getting a call you’re not expecting, hang up, call back through the official line,” Burke said.
Dr Marthie Grobler, CSIRO’s Data61 principal research scientist, warned frequent flyer details could be used to make fake flight rescheduling or fraudulent reward redemption offers more believable.
Qantas has advised customers who are contacted by people claiming to represent the airline to be cautious, follow Burke’s advice and ensure emails end in the official address -qantas.com or qantas.com.au – not imitations such as qantas.net or qantas.biz.
The national privacy regulator recommends Australians change their email account passwords and enable two-step authentication. Qantas has offered a 24/7 support hotline and specialist identity protection advice for affected customers.
Will affected customers be compensated?
Qantas has not offered to compensate affected customers.
Burke said he had not been focused on the issue of compensation and was more focused on whether Qantas had breached its obligations, which could incur fines.
A leading class action law firm, Maurice Blackburn, has flagged it may seek compensation on behalf of affected customers, after lodging a representative complaint over the data breach in July.
Data breaches at other Australian companies such as Optus and Medibank have prompted class action claims in recent years.
How did the Qantas data leak occur?
The hackers did not get the data by scamming individual customers but instead targeting a Qantas call centre and gaining access to the customers servicing platform in June, the airline said.
Other companies targeted by recent attacks include Google, Toyota, Disney, McDonald’s, Puma, Cartier, Adidas, Qantas, Air France-KLM, Chanel and Ikea.
Google analysis suggested the hackers called companies and pretended to be IT support staff, convincing legitimate staff to give them access to their Salesforce software platform, which stored customer data.
Salesforce said the hackers had not broken into the platform through any software vulnerabilities and there was no sign the platform was compromised.
The best public interest journalism relies on first-hand accounts from people in the know.
If you have something to share on this subject, you can contact us confidentially using the following methods.
Secure Messaging in the Guardian app
The Guardian app has a tool to send tips about stories. Messages are end to end encrypted and concealed within the routine activity that every Guardian mobile app performs. This prevents an observer from knowing that you are communicating with us at all, let alone what is being said.
If you don't already have the Guardian app, download it (iOS/Android) and go to the menu. Select ‘Secure Messaging’.
SecureDrop, instant messengers, email, telephone and post
If you can safely use the Tor network without being observed or monitored, you can send messages and documents to the Guardian via our SecureDrop platform.
Finally, our guide at theguardian.com/tips lists several ways to contact us securely, and discusses the pros and cons of each.
