Potentially thousands of Qantas customers have had their personal details made public via the airline’s app, with some frequent flyers able to view strangers’ account details and possibly make changes to other users’ bookings.
Qantas said late Wednesday its app had been fixed and was stable, after two separate periods that day “where some customers were shown the flight and booking details of other frequent flyers”.
The airline said this didn’t include displaying financial information, and that users were not able to transfer Qantas points from another account or board flights with their in-app boarding passes.
Clare Gemmell from Sydney said that she and four colleagues encountered the problem shortly after 8.30 on Wednesday morning.
“My colleague logged in and said ‘I think the Qantas app has been hacked because it’s not my account when I log in’.”
When Gemmell logged into the app, she was greeted with a message saying “Hi Ben”. The app told her Ben had more than 250,000 points and an upcoming international flight.
“Another colleague of mine said it looked like she was able to cancel somebody’s flight ticket,” she said.
“You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking.”
The app has more than 115,000 ratings and reviews in the Apple store, where it has a star rating of 4.8.
Gemmell, who works in customer data technology, said the security lapse was “pretty shocking”.
“It’s a privacy breach and other people having access to my information and being able to cancel flights on my behalf is terrible customer service and very concerning,” she said.
“It’s basic 101 security that they should have tested any app changes before they released it into production,” she said, referring to the moment when the app went live.
She said she hadn’t been aware of an update to the app but that she since understood the app may have been updated overnight.
By shortly after 8.50am on Wednesday, the app appeared to have reverted to normal, she said.
Qantas launched an investigation into the breach and said in a statement that there was no indication of a cyber security incident.
The spokesperson said customers would not have been able to transfer or use the Qantas Points of other frequent flyers and was not aware of any customers travelling with incorrect boarding passes.
“We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved,” they said.
“Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.
“At this stage, there is no indication of a cyber security incident.
“The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status. No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.”
