Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

Qantas customer passports at risk following frequent flyer cyber theft

Qantas has revealed that the passports of at least almost a thousand customers may have been accessed after two third-party employees abused their power to steal customers’ frequent flyer points.

user icon Daniel Croft
Tue, 08 Oct 2024
Qantas customer passports at risk following frequent flyer cyber theft
expand image

Two employees working for India SATS, a partnership between Air India and Singapore’s biggest ground-handling company, SATS, used their positions to steal frequent flyer points from customers.

Employees of India SATS, the ground handler Qantas uses in India, are able to access all of the airline’s flight bookings.

Using this access, employees altered customer bookings and changed frequent flyer details using a partner airline booking system to send the earned points to an account they controlled.

============
============

The theft affected over 800 bookings in July and August 2024 and resulted in passport data being potentially compromised.

“As part of the access they had to do their job, they may have had access to some customers’ passport details,” Qantas told the media.

“There’s no evidence this has been used in any way.”

In August, the two contractors were stopped and suspended, and customers reportedly had their frequent flyer points restored and bookings fixed.

Despite some reports, Qantas emphasises that the attack was not the result of a cyber attack or hack but an instance in which employees abused their access.

“This was not a cyber hack or data theft, but a case of two rogue employees of one of our suppliers abusing their position to fraudulently steal frequent flyer points,” a spokesperson told media.

“We are not aware of any current bookings impacted. The police investigation is ongoing.”

Qantas has reportedly added new restrictions for accessing customer bookings to prevent a repeat incident.

According to The Australian, which originally reported the incident, there are rumours the incident may have affected other airlines within the Oneworld Alliance, a global airline partnership between 15 airlines from around the globe that allows customers to accrue and use the same frequent flyer points.

Earlier this year, Qantas suffered a data breach that saw customers attempting to log in to the MyQantas app being logged into other people’s accounts.

Several customers of the Australian national carrier have reported being able to access other customers’ account information, point score, status tier, travel destination and even boarding passes.

“My Qantas app logs me in to a different person each time I open it,” one person told 7News.

“I have access to the booking details, QFF numbers, status, and boarding passes of people I don’t know. Logging out and back in does nothing.”

In addition, customers could reportedly change a customer’s seats, cancel their flight altogether or book an entire new flight under their name.

“I was able to access full booking details, including the ability to cancel someone’s flight to Europe,” said another customer.

Qantas quickly restored the app the same day and confirmed that no financial information was visible, nor were customers able to use other people’s boarding passes to board flights.

While the cause of the incident was originally unknown, Qantas, on 3 May, released a statement confirming that a cyber attack was not responsible and that a technical issue was to blame.

“On Wednesday [1 May], we experienced an issue with the homepage of the Qantas App. We want to apologise to all our impacted customers and assure you that the app is stable and operating normally,” Qantas said in a letter to its customers seen by Cyber Daily.

“We have now identified the root cause and can confirm that this was a technology issue, and there is no evidence of a cyber incident.”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.