A cybersecurity expert has told the ABC that the personal data of Qantas customers has been released on the dark web.
Up to six million Qantas customer records were exposed in July during a cyber attack on a third-party platform used by Qantas.
The stolen data included some customers’ names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
Qantas responds to hackers threat
A cybercrime collective, Scattered Lapsus$ Hunters, had reportedly threatened to release stolen data from around 40 global firms linked to the cloud software giant Salesforce — including Disney, Google, IKEA, Toyota, and airlines Qantas, Air France and KLM — unless a ransom was paid.
The hackers had given Salesforce a deadline of 3pm AEST on Saturday to pay the ransom, or it would release the data.
Australian online security expert Troy Hunt from Have I Been Pwned said he had confirmation that the Qantas customer data had since been leaked on the dark web.
While Mr Hunt was speaking to the ABC, he received a text message from a friend overseas saying they thought they had found his personal data in the leak.
“I just gave them the last two digits of my frequent flyer number. So we’ll see if they can confirm the whole thing, but I’m quite sure it is what it is,” he said.
Within seconds, he had confirmation.
“They’ve just confirmed the email address that was on file, which is unique to Qantas,” Mr Hunt said.
It appeared the hackers did not release the data of all the companies involved.
“They’ve only released six at this point in time,” Mr Hunt said.
“The guys responsible for this have been pretty erratic in their communication; there were threats that everything was going to be leaked.”
The stolen data included some customers’ names, email addresses, phone numbers, birth dates, and frequent flyer numbers. (ABC News: Stephanie Chalmers)
Qantas said in a statement on its website that there was no impact to frequent flyer accounts and that financial details had not been compromised.
“Passwords, PINs, and login details were not accessed or compromised,” the statement said.
“Qantas confirms that no identity documents, credit card numbers, or personal financial details were accessed or compromised as a result of the incident.”
Mr Hunt told the ABC that the data that was published earlier had been removed from the service it was placed on for download.
“But it’s already in thousands of hands and will likely just be re-uploaded to a new service,” he said.
“The genie is out of the bottle.
“If anything, the situation is worse now — the hackers just launched a new clear website that anyone can easily access.
“The data will likely reappear there soon.”
FBI ‘seizes’ site run by hackers threatening to release Qantas customers’ data
Mr Hunt advised affected Australians to carefully verify any incoming communication.
“In the Qantas situation, when we think about the data that’s been exposed, that sort of data can be useful for things like social engineering attacks, phishing scams,” he said.
“Someone can contact me even outside the context of Qantas and say, ‘look, I know you live at this address and I know this is your phone number and we are a legitimate organisation offering some service and you need to give us some personal information or log on to a site’.
“The more an attacker has about you in terms of your personal info, the better a scam they’re able to execute.”
In a statement, the hackers confirmed the data leak and have threatened that they have the resources to continue these types of attacks.
Salesforce confirmed on Saturday that it would “not engage, negotiate with, or pay any extortion demand”.
The company continues to maintain that there is no indication that its platform has been compromised.
