Personal data of over five million Qantas customers has been leaked on the dark web after hackers followed through on their ransom threat over the weekend.
The airline was among 40 global firms linked to the cloud software giant Salesforce that had their data stolen in July.
The details that were stolen included full names, email addresses and frequent flyer details, as well as business and home addresses, dates of birth, phone numbers, gender and, in fewer cases, meal preferences. It did not contain financial information, passport details, PINs or passwords.
"With the help of specialist cyber security experts, we are investigating what data was part of the release," Qantas said in a statement on Sunday.
The hacker collective, Scattered LAPSUS$ Hunters, threatened to release the data at 3pm on Saturday AEDT unless Salesforce paid an undisclosed ransom, which it refused to do.
The group said the data was "leaked" on Saturday, stating: "Don't be the next headline, should have paid the ransom."
How do you know if your data was exposed?
Qantas said it contacted all impacted customers in July and advised them on what types of personal data may have been stolen.
The airline said on Sunday it would continue to share updates on its website and through a 24/7 support line on 1800 971 541 or +61 2 8028 0534, "where customers have ongoing access to a specialist identity protection service".
Arash Shaghaghi, a senior cybersecurity lecturer at the University of New South Wales, told SBS News customers should ensure any email communications they receive are legitimate and come from a legitimate @qantas.com address.
Breach notification services, such as Have I Been Pwned, are also evaluating the leak. Once the event is listed, people can safely check if their email was part of the breach, Shaghaghi said.
He stressed people should not attempt to search the dark web dumps themselves.
"Aside from legal risk, they're often bait for malware and further scams," he said.
Receiving spear-phishing attacks is another sign of exposure that people can look out for. These types of attacks use personal information to deliver "highly-targeted" fraudulent electronic communications, such as emails and texts, to trick targets into divulging sensitive information.
What action should you take?
According to Shaghaghi, there are three steps you can take to protect yourself.
Lock down your accounts. Enable multi-factor authentication on your email, banking and key online accounts immediately.
"It's the single most effective defence against stolen data being used for account takeover," he said.
Also, change your Qantas password and any account where that password may have been reused, ensuring each account has a strong, unique password, Shaghaghi suggested.
Another approach is to be vigilant for scams.
"Expect personalised attacks. Be wary of unsolicited emails, texts or calls claiming to be from Qantas, insurers or 'compensation teams'," Shaghaghi said, noting that criminals could use leaked details of the affected customers, such as date of birth or frequent flyer number, to make scams look legitimate.
He advised people to avoid clicking links in unexpected messages and instead visit the official Qantas site or app to verify account details.
Shaghaghi emphasised the importance of regularly monitoring and reporting any unusual activity, such as discrepancies in bank and credit card statements. Obtain credit reports from Equifax, Experian, and illion to check for unauthorised credit applications, he said.
If you see evidence of identity theft or fraud, report it to your financial institution and via the Australian Cyber Security Centre's (ACSC) government portal immediately.
Follow updates from Qantas and ACSC for verified information.
What can happen to data posted on dark web?
Matthew Warren, director at RMIT University's Centre for Cyber Security, said the data leak would potentially lead to a "second wave of scams".
"Other criminals are going to use that information, pretending to be from Qanta,s trying to elicit additional personal information or trying to say 'We are offering compensation, please share your credit card details so we can transfer'," Warren told AAP.
"Most Qantas customers are Australians. You're talking about a quarter of the population."
Shaghaghi warned people can expect "highly convincing" phishing or "Qantas refund" scams that use their real details.
"Criminals will exploit the trust that comes with accurate personal data to trick victims into revealing credit cards or login credentials. Criminals will exploit the trust that comes with accurate personal data to trick victims into revealing credit cards or login credentials," he said.
In terms of "long game," he said, criminals could combine data from previous breaches to build detailed identity profiles that enable loan fraud, tax-refund and other scams.
"For example, scammers used data from the [2022] Optus breach months later to file fake credit applications and contact victims pretending to be banks or government agencies," he said.
Will victims receive any compensation?
Compensation claims were made against Optus and Medibank following major data breaches in 2022.
A complaint over the Qantas data breach has already been lodged by Maurice Blackburn with the Office of the Australian Information Commissioner, an independent national regulator for privacy and freedom of information.
The law firm has alleged Qantas breached privacy laws by failing to adequately protect customer information.
Affected customers are eligible to receive updates from the law firm and any compensation that may be sought on their behalf.
Warren said any class action will likely be challenged by Qantas on the grounds that a third party was responsible for protecting the data, and that the data was not stolen in Australia.
— With additional reporting from Australian Associated Press.
