Qantas data breach: How to safeguard yourself against scams

Millions of Qantas customers are being warned to be on the lookout for scams following the release of a trove of personal information by cyber criminals over the weekend.

In early July, Qantas announced that the personal details of 5.7 million customers had been stolen after a third-party platform used by the airline was breached.

Qantas has since confirmed that, for the majority of customers, the stolen information includes names, email addresses and Qantas Frequent Flyer details. However, a smaller number have also had their addresses, dates of birth, genders and phone numbers exposed.

The group allegedly behind the data breach - a hacking collective known as Scattered Lapsus$ Hunters - had demanded a ransom from the airline in order not to release the data.

The ransom deadline appears to have expired on Saturday though, with the group reportedly releasing the data onto the dark web accompanied by the message, "Don't be the next headline, should have paid the ransom", according to Guardian Australia.

Qantas confirmed as much in a statement released on Sunday which noted that it was one of a number of companies to have had data released by cyber criminals following the breach in July.

Scammers building 'detailed' profiles   

The Qantas incident is just the latest in a series of major data breaches in recent years.

Around 9.8 million Optus customers had their information stolen back in September 2022 and 9.7 million Medibank customers were affected in an incident the following month.

In total, 6653 data breaches have been reported to the Office of the Australian Information Commissioner since 2018 under the Notifiable Data Breaches scheme.

Unfortunately, this means that many Australians have had personal information leaked in one, or multiple, data breaches - information which scammers may be able to exploit.

"Australia's data breach landscape has reached a tipping point. Cybercriminals are connecting the dots across years of leaks to create full identity profiles," says Dr Arash Shaghaghi, a senior lecturer in cyber security at the University of New South Wales.

"After Optus, Medibank, Latitude and now Qantas, Australians need to accept that some of their personal information is already circulating.

"Attackers are no longer guessing passwords. They're assembling detailed identity profiles from multiple breaches and using them to launch highly targeted, personalised attacks."

What scams should Qantas customers watch out for?  

In its statement, Qantas urged customers to remain vigilant about any misuse of their personal information that could result from the recent release of data.

One way that scammers may seek to exploit it is via a method known as 'spear phishing'.

As Shaghaghi explains, this is a targeted attack - typically done via email, but sometimes by text or call - designed to trick individuals or organisations into taking malicious action or divulging even more sensitive information.

"Expect highly convincing phishing or 'Qantas refund' scams using your real details.

"Criminals will exploit the trust that comes with accurate personal data to trick victims into revealing credit cards or login credentials."

Because scammers are able to compile profiles using data from multiple breaches, Shaghaghi says that the threat won't just be in the coming months. Australians will need to be vigilant long-term.

"After previous leaks we've seen criminals combine old breaches to build detailed identity profiles (known as 'fullz') that enable loan fraud, Centrelink or tax-refund scams and social engineering.

"For example, scammers used data from the Optus breach months later to file fake credit applications and contact victims pretending to be banks or government agencies.

"The Qantas dataset will now feed that same ecosystem - boosting the credibility of future scams that appear 'too real'."

How can people protect themselves? 

There are measures that Qantas customers - or any Australians affected by a data breach - may want to consider in order to help protect themselves against scams.

1. Lock down your accounts 

The number one priority, Shaghaghi says, should be enabling Multi-Factor Authentication (MFA). After that, he recommends changing and strengthening your passwords.

"Turn on MFA on your email, banking and key online accounts immediately. It's the single most effective defense against stolen data being used for account takeover.

"Update your Qantas password and any others that might be reused. Each account should have a strong, unique password."

2. Be wary of scam attempts  

People that have had their personal details leaked should be alive to the possibility that they will be targeted, Shaghaghi says. This doesn't need to prompt alarm, but they should be vigilant.

"Be wary of unsolicited emails, texts or calls claiming to be from Qantas, insurers or 'compensation teams'. Criminals are using leaked details like your real name, date of birth and Frequent Flyer number to make scams look legitimate.

"Don't follow links in unexpected messages. Instead, go directly to the official Qantas site or app to verify account details."

Qantas customers in particular can keep abreast of any relevant scams through the airlines' official scam assistance webpage.

3. Monitor and report anything suspicious  

Given that many scammers will ultimately be trying to get access to people's money, Shaghaghi suggests keeping an extra close eye on your financial accounts and credit score.

"Review bank and credit card statements frequently for unusual activity. You may also be able to obtain free credit reports from Equifax, Experian and illion to check for unauthorised credit applications."

If you do spot anything suspicious get in contact with your financial institution directly, and you can make a report through the Australian Cyber Security Centre.

Get stories like this in our newsletters.