Qantas CEO Vanessa Hudson regret over Scattered Spider cyber attack
But that quickly changed on Monday after a phone call from a fellow executive telling the Qantas CEO 'suspicious activity' was detected on a database where the details of six million customers were stored.
'As soon as I heard the breach had happened, I stopped everything I was doing and I connected with the team and was leading our response,' said Ms Hudson from London.
'All our focus was understanding what occurred, and the time gap between communicating to customers was so we could advise with 100 per cent confidence that no passport details had been breached, no credit card numbers and the Frequent Flyer system was completely secure.'
A statement to the ASX and the media was released Wednesday morning, outlining the attack had accessed customers' names, birthdates, phone numbers, email addresses and loyalty numbers — enough information to cause anxiety for the millions affected.
What made it worse was the US Federal Bureau of Investigation had issued a warning three days beforehand that hacker group Scattered Spider was targeting the aviation community, with attacks on WestJet and Hawaiian Airlines.
Ms Hudson said that warning had been communicated by Qantas to its call centres on Friday June 27 — apparently to no avail.
'Unfortunately the cyber criminal in this instance was able to gain access to what is a customer service platform and that was following an interaction with a call centre operator (in Manila),' she said.
'I'm sure you would appreciate that we really do want to avoid further action by other cyber criminals so I have felt that it's important not to provide a lot more of the specificities around what's occurred.'
While she does not want to attribute blame, various cyber experts have highlighted striking similarities between Scattered Spider's MO and the Qantas infiltration.
The criminal organisation is believed to have evolved from a group of young people trading secrets on social media for how to cheat playing video games, to something much more sinister.
'The group is notorious for targeting large enterprises — often by exploiting IT help desks via social engineering,' said Rapid7 senior director of threat analytics Christiaan Beek.
'Their end goals are typically data theft and extortion. In some intrusions, they have partnered with or acted as affiliates of ransomware gangs.'
Unlike the Medibank cyber attack in late 2022 which was attributed to Russia's Aleksandr Ermakov, Scattered Spider's members came from the US, UK and Canada.
Okta's Brett Winterford said the group is not only motivated by profit but the 'desire to score a big win that impressed their peers'.
Only last month, Scattered Spider targeted retailers including North Face, Cartier and Victoria's Secret, following on from a spate of attacks on UK retailers Harrods, Marks & Spencer and Co-op.
US insurers including Aflac, Erie Indemnity and Philadelphia Insurance have also been under siege from the group — all hit in what appeared to be co-ordinated attacks during a five day period last month.
As yet Qantas has received no ransom demand, nor has the stolen information been shopped for sale on the dark web.
But that's not to say the 6 million individuals caught up in the attack are in the clear — and Ms Hudson stressed that vigilance was critical.
'That is obviously the reason why we acted so quickly and so transparently with our customers,' she said.
Within hours of the suspicious activity being confirmed on Monday, Ms Hudson said she notified her chair, John Mullen, and the government.
'We are continuing to work really effectively with the government cyber teams and also the AFP because this is a criminal matter,' she said.
Experts agreed that Qantas customers risk being targeted by follow-on social engineering attacks.
This includes potential credential stuffing – the same method hackers used earlier this year to siphon hundreds of thousands of dollars of retirement savings from Australian industry super funds.
Ms Hudson described her 'concern and great regret' the attack had occurred, but she said Qantas' response would help the airline's mission rebuilding trust.
'Trust is something that has to be earned both in the good times and also in the hard times and I think in the hard times in this context and where we're at, the way in which you continue to support customers being transparent with them, being open and being supportive goes to an important part of customers' understanding that we're focused on them, even in the hard times,' she said.
Customers were reassured Qantas' systems were now secure, with more details of the extent of the data breach for individual customers expected next week.
Until then Ms Hudson encouraged customers to visit the Q&A on the website and app, and call the customer support line.
'I mean this is an increasing global threat for organisations and for all of us in the modern digital world and we have to learn from these events,' she said.
Originally published as Qantas CEO's 'great regret' over cyber attack on customer database storing personal details
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
West Australian
3 hours ago
- West Australian
‘Disappointing, frustrating': How Qantas data breach exposes deep flaws in Australia's cyber defences
The cyberattack targeting the personal data of customers with Qantas is the latest in a string of breaches affecting millions of Australians, as hackers target major companies and exploit weak spots in the systems they rely on. The breach, detected by the Flying Kangaroo on June 30, originated from a third-party customer servicing platform used by one of the airline's contact centres. Cybersecurity experts said the breach is part of a much broader problem - and corporate Australia is falling short. Dr Hammond Pearce, a lecturer in computer science and engineering at UNSW, told NewsWire the embarrassing incident at Qantas highlights a dangerous complacency among major companies. 'It's disappointing and frustrating that a company of this size and means, one which has tremendous importance to everyday Australians, is unable to safeguard our data,' Dr Hammond said. Although contained, the latest attack may have compromised names, phone numbers, email addresses, dates of birth, and frequent flyer numbers. Credit card details, passports, and login credentials were not affected. The suspected culprits are the cybercrime group Scattered Spider, known for targeting large organisations through helpdesk systems operated by third-party platforms, often using sophisticated social engineering techniques. The breach comes amid a significant surge in cyberattacks across Australian sectors. In April this year, thousands of AustralianSuper and Rest members were affected by 'credential stuffing' attacks, where hackers used stolen login details from past breaches to access accounts. The attackers siphoned off $500,000 from just four accounts. The Australian Signals Directorate, a Federal Government intelligence agency, responded to over 1100 cyber security incidents and 36,700 hotline calls in 2023–24, a 12 per cent jump on the previous year. Data breach notifications spiked 15 per cent in the second half of 2024. Healthcare remains the most targeted industry, with 102 reported breaches in the latter half of last year. Financial institutions and manufacturers are also under siege, with attackers exploiting stolen credentials, ransomware, and legacy technologies to halt operations or access sensitive information. Dr Hammond said it's becoming clear that large datasets of personal information, like names, birth dates, and phone numbers, should be 'treated as liabilities, not assets.' 'In Australia, as in many countries, the mass collection and retention of data is usually encouraged from a business point of view. 'Only the government has the abilities to bring in privacy-first rules which can motivate changes to this practice,' he said, urging regulatory reform to force companies to treat personal data with the seriousness it deserves. He warned that the accumulation of personal data is not only a risk in itself but a direct path to further harm. 'There is the very real potential for down-stream attacks whereby the stolen data is used for scams and other schemes; they might reach out to you pretending to be someone they are not,' he said. Dr Hammond said that while Qantas acted appropriately after discovering the breach, its overall cybersecurity posture was 'insufficient' — a pattern seen repeatedly across Australian organisations. 'Qantas is not alone in this regard, it is just the latest in a long string of companies which have had data breaches, and it is fast becoming time for a proper regulatory overhaul to require that these companies treat our data with the concern that it deserves,' he said. The Qantas breach follows a rising number of incidents linked to third-party vendors. Experts say supply chain vulnerabilities now account for the majority of data breaches in Australia, and organisations must hold external providers to the same high cybersecurity standards as internal systems. Stephen Kho, cybersecurity expert at Avast, told Newswire that businesses must go beyond simply defending against threats and start preparing. 'Businesses, no matter their size, need to accept that cyberattacks are no longer a matter of 'if', but 'when'. That means shifting from a purely defensive mindset to one of preparation and resilience,' Mr Kho said. While AI was not involved in the Qantas incident, cybersecurity professionals are increasingly warning that artificial intelligence will supercharge future threats. Scammers are now using AI to craft phishing messages, mimic voices, and even create deepfakes to deceive victims. As the technology advances, impersonation attacks and targeted scams are becoming harder to detect and more damaging. Mr Kho said prevention is still the best defence against increasingly sophisticated attacks, and he has advice for both the public and businesses. He recommends using a password manager to generate strong, unique logins for every account, keeping devices and apps updated to patch known vulnerabilities, and staying alert to anything that seems suspicious. 'A healthy dose of scepticism online is one of the best defences you have,' he said. Mr Kho also urges people to act quickly if something seems off, such as receiving unexpected verification codes, password reset emails, or strange messages from friends, as these may be signs an account has been compromised. If caught up in a breach, he advises updating sensitive passwords, monitoring bank statements, and watching out for phishing scams impersonating trusted brands like Qantas. 'The goal is to contain the damage before it escalates,' he said. For businesses, he urges companies to invest in secure infrastructure, regularly patch software, educate staff, and prepare a clear incident response plan if a breach occurs. 'How quickly and transparently a business responds can have a huge impact on how customers perceive and trust the brand afterwards.' The federal government has pledged up to $20 billion by 2033 to strengthen Australia's cyber defences and has launched awareness campaigns like 'Stop. Check. Protect.' to help Australians recognise and avoid online scams. But Dr Hammond argues that meaningful progress requires more than public awareness — it demands a systemic overhaul. 'It is fast becoming time for a proper regulatory overhaul to require that these companies treat our data with the concern that it deserves,' he said. Until then, Australians are being urged to take their own precautions, because as the Qantas breach makes clear, even the biggest and most trusted companies are far from immune.
Sky News AU
4 hours ago
- Sky News AU
‘These attacks are going to continue': Qantas cyber breach impacts six million
Okta Global Head of Threat Intelligence Brett Winterford has warned organisations data breaches are 'going to continue' after Qantas was targeted in a major cyberattack last week. 'This is an adversary we track very closely, they are a group of young people globally distributed, but mostly in Western countries,' Mr Winterford told Sky News Australia. 'I think organisations need to assume these attacks are going to continue."
Perth Now
14 hours ago
- Perth Now
Dire warning after Qantas breach
The cyberattack targeting the personal data of customers with Qantas is the latest in a string of breaches affecting millions of Australians, as hackers target major companies and exploit weak spots in the systems they rely on. The breach, detected by the Flying Kangaroo on June 30, originated from a third-party customer servicing platform used by one of the airline's contact centres. Cybersecurity experts said the breach is part of a much broader problem - and corporate Australia is falling short. Dr Hammond Pearce, a lecturer in computer science and engineering at UNSW, told NewsWire the embarrassing incident at Qantas highlights a dangerous complacency among major companies. 'It's disappointing and frustrating that a company of this size and means, one which has tremendous importance to everyday Australians, is unable to safeguard our data,' Dr Hammond said. Although contained, the latest attack may have compromised names, phone numbers, email addresses, dates of birth, and frequent flyer numbers. Credit card details, passports, and login credentials were not affected. The Qantas breach, detected on June 30, originated from a third-party customer servicing platform used by one of the airline's contact centres. NewsWire / Jeremy Piper Credit: News Corp Australia The suspected culprits are the cybercrime group Scattered Spider, known for targeting large organisations through helpdesk systems operated by third-party platforms, often using sophisticated social engineering techniques. The breach comes amid a significant surge in cyberattacks across Australian sectors. In April this year, thousands of AustralianSuper and Rest members were affected by 'credential stuffing' attacks, where hackers used stolen login details from past breaches to access accounts. The attackers siphoned off $500,000 from just four accounts. The Australian Signals Directorate, a Federal Government intelligence agency, responded to over 1100 cyber security incidents and 36,700 hotline calls in 2023–24, a 12 per cent jump on the previous year. Data breach notifications spiked 15 per cent in the second half of 2024. Healthcare remains the most targeted industry, with 102 reported breaches in the latter half of last year. Financial institutions and manufacturers are also under siege, with attackers exploiting stolen credentials, ransomware, and legacy technologies to halt operations or access sensitive information. In September 2022, Optus experienced a major data breach where hackers accessed between 2.5 million and 9.7 million / Gaye Gerard Credit: News Corp Australia Dr Hammond said it's becoming clear that large datasets of personal information, like names, birth dates, and phone numbers, should be 'treated as liabilities, not assets.' 'In Australia, as in many countries, the mass collection and retention of data is usually encouraged from a business point of view. 'Only the government has the abilities to bring in privacy-first rules which can motivate changes to this practice,' he said, urging regulatory reform to force companies to treat personal data with the seriousness it deserves. He warned that the accumulation of personal data is not only a risk in itself but a direct path to further harm. 'There is the very real potential for down-stream attacks whereby the stolen data is used for scams and other schemes; they might reach out to you pretending to be someone they are not,' he said. Dr Hammond said that while Qantas acted appropriately after discovering the breach, its overall cybersecurity posture was 'insufficient' — a pattern seen repeatedly across Australian organisations. 'Qantas is not alone in this regard, it is just the latest in a long string of companies which have had data breaches, and it is fast becoming time for a proper regulatory overhaul to require that these companies treat our data with the concern that it deserves,' he said. The Australian Cyber Security Centre responded to over 1100 cyber security incidents and 36,700 hotline calls in 2023–24, a 12 per cent jump on the previous year. NewsWire / Gary Ramage Credit: News Corp Australia The Qantas breach follows a rising number of incidents linked to third-party vendors. Experts say supply chain vulnerabilities now account for the majority of data breaches in Australia, and organisations must hold external providers to the same high cybersecurity standards as internal systems. Stephen Kho, cybersecurity expert at Avast, told Newswire that businesses must go beyond simply defending against threats and start preparing. 'Businesses, no matter their size, need to accept that cyberattacks are no longer a matter of 'if', but 'when'. That means shifting from a purely defensive mindset to one of preparation and resilience,' Mr Kho said. While AI was not involved in the Qantas incident, cybersecurity professionals are increasingly warning that artificial intelligence will supercharge future threats. Scammers are now using AI to craft phishing messages, mimic voices, and even create deepfakes to deceive victims. As the technology advances, impersonation attacks and targeted scams are becoming harder to detect and more damaging. Dr Hammond Pearce told NewsWire the Qantas breach highlights a dangerous complacency among major companies. NewsWire / Luis Enrique Ascui Credit: News Corp Australia Mr Kho said prevention is still the best defence against increasingly sophisticated attacks, and he has advice for both the public and businesses. He recommends using a password manager to generate strong, unique logins for every account, keeping devices and apps updated to patch known vulnerabilities, and staying alert to anything that seems suspicious. 'A healthy dose of scepticism online is one of the best defences you have,' he said. Mr Kho also urges people to act quickly if something seems off, such as receiving unexpected verification codes, password reset emails, or strange messages from friends, as these may be signs an account has been compromised. If caught up in a breach, he advises updating sensitive passwords, monitoring bank statements, and watching out for phishing scams impersonating trusted brands like Qantas. 'The goal is to contain the damage before it escalates,' he said. For businesses, he urges companies to invest in secure infrastructure, regularly patch software, educate staff, and prepare a clear incident response plan if a breach occurs. 'How quickly and transparently a business responds can have a huge impact on how customers perceive and trust the brand afterwards.' Scammers are now using AI to craft flawless phishing messages, mimic voices, and even create deepfakes to deceive victims. NewsWire / Gary Ramage Credit: News Corp Australia The federal government has pledged up to $20 billion by 2033 to strengthen Australia's cyber defences and has launched awareness campaigns like 'Stop. Check. Protect.' to help Australians recognise and avoid online scams. But Dr Hammond argues that meaningful progress requires more than public awareness — it demands a systemic overhaul. 'It is fast becoming time for a proper regulatory overhaul to require that these companies treat our data with the concern that it deserves,' he said. Until then, Australians are being urged to take their own precautions, because as the Qantas breach makes clear, even the biggest and most trusted companies are far from immune.
