Qantas Cyber Attack: Personal Data of up to 6 million Customers Exposed
Qantas, Australia’s largest airline, is the latest company to be targeted in a major cyber attack.
On Monday, 30th June, Quantas detected unusual activity on a third-party platform used by its contact centre in the Philippines. That platform holds the records of 6 million customers, which include names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. However, it does not store payment information, personal financial information or passport details.
The cybersecurity firm contracted by Quantas to investigate the incident has identified that the attack is likely to come from the “Scattered Spider” hacker group, who are responsible for other high-profile attacks, such as the one on Marks & Spencer. This attack compromised the personal data of up to 9 million customers and impacted services for over 6 weeks. This is backed up by the fact that the FBI has recently warned that the group was expanding its targeting to the airline sector.
In a statement, Quantas Chief Executive, Vanessa Hudson confirmed that they had set up a customer support line and page on the company website to support customers and keep them up to date. They also added that Quantas “sincerely apologise to our customers and we recognise the uncertainty this will cause” and that starting from the 2nd July, impacted customers will be contacted.
Additionally, Qantas has informed the Australian Cyber Security Center, the police and the Australian Information Commissioner of the attack.
Could this be another case of third-party IT providers being a point of entry?
While not confirmed at this time, it is likely that the attack was yet another social engineering attack, where human error is relied on to gain unauthorised access to accounts and systems, rather than the more sophisticated technical exploits typically associated with cyber attack.
Attackers will always target where they can find vulnerabilities, and in many cases, the third-party IT providers these large companies use act as an easy point of entry. There are a few main reasons for this:
Limited oversight and control: Companies will always have less insight into the security practices of their third-party providers compared to themselves. This lack of oversight makes it very difficult to ensure that a high level of security standards is consistently upheld. The lack of control they have over the third parties also means that it’s much more difficult to resolve any security or compliance issues that may increase the risk of a successful attack.
Poor access control measures: Third-party vendors often require access to internal systems and data to perform their services. If this access is not properly managed and limited, it can create a backdoor for attackers. In an ideal situation, data is segmented, and staff have access only to the data they require to complete their job. In many of the high-profile cases, this has not been the case, meaning more data is likely to be available to attackers once they gain access. While taking this segmented approach is unlikely to have an impact on the likelihood of an attack, it will reduce the impact.
Lack of training and awareness schemes: To compound these risks, many of these third-party businesses lack any training and awareness schemes which can provide staff with the knowledge needed to identify attempted attacks, including social engineering attacks. This can come in a variety of forms, such as online training, workshops or phishing simulations.
What can we learn from the Qantas cyber attack?
The investigation into this attack is ongoing, meaning at this time, we don’t know which of these factors played a part here, though in other recent attacks, these have absolutely been factors.
Below are a few key takeaways from this that despite the scale of the incident, may still apply to your business:
Remail vigilant of attempted social engineering attacks: Social engineering attacks are becoming more and more common, and it’s not just large companies that are vulnerable to being targeted. It’s vital that all staff remain vigilant and make sure that the person asking for information is who they say they are.
One of the best ways to achieve this is by having staff complete frequent refresher training on the things to look out for regarding attempted attacks. Check out PRIVACY HELPER’s Staff Training page to learn more about the benefits of frequent staff training.
Frequent third-party due diligence is key: If your business relies on third-party suppliers to operate, it is your responsibility to ensure their processing activities meet any relevant regulatory requirements such as GDPR. Should one of your suppliers suffer a breach involving your personal data, if the appropriate due diligence has not been completed, as the data controller, you may be held liable.
Make sure that you complete frequent due diligence checks on the activities and processes of your supplier. At the end of the day, they’re working with personal data on behalf of your organisation, and you want the peace of mind that all necessary precautions have been taken.
This can be a monumental task, especially with more than one supplier. To learn more about how PRIVACY HELPER can make this as stress-free as possible, take a look at our supplier due diligence page.
The importance of transparency with data subjects: Quantas were quick to take steps to inform impacted data subjects and provide resources for those impacted. While there will always be some reputational hit when an incident like this occurs, being quick to act and transparent will help demonstrate a commitment to data protection and accountability.
PRIVACY HELPER’s Data Breach services help with this vital step in minimising the damage from an incident.
Next Steps
Ensuring that you handle, process and store personal data in a way that’s in line with the law isn’t easy. To be confident that you’re compliant, and to address any concerns you may have, contact PRIVACY HELPER today, and let us remove the stress of managing data compliance in your business.
Follow us on LinkedIn.
