JACKSON HEWETT: Qantas cyber hack the latest of many to come
According to the Global Anti-Scam Alliance, $US1.03 trillion ($A1.57t) was lost globally in 2024, finding nearly half of global consumers experiencing a scam attempt at least once a week.
With six million customer records potentially stolen during the breach, Australians were likely to be among those whose personal data could be used to hack financial accounts or to commit identity theft fraud.
Australia continues to be a lucrative destination for scammers, drawn by high balances in bank accounts and superannuation funds.
In April this year, some of the largest super funds in the country, including including AustralianSuper, Hostplus, REST and Australian Retirement Trust were subjects of a 'credential stuffing' scam, which relies on people using the same password across multiple accounts.
AustralianSuper, which has more than 3.5 million customers and $367 billion in funds under management said four accounts in the pension phase were defrauded of a combined $500,000. In many instances the super funds had not turned on multi-factor authentication, which requires users to verify their identity using two or more different factors, such as a password and a code sent to their phone.
Australians are becoming better at recognising scams however, and despite it costing an estimated $2b last year, the Government's National Anti-Scam Centre said losses were down by 25 per cent on their peak of $3.1b in 2022.
The number of scam reports fell almost 18 per cent over the same period from 601,803 in 2023 to 494,732 in 2024.
The top five losses, accounting for 80 per cent of total losses were led by investment scams at almost $1b, followed by romance scams, payment redirection, remote access and phishing.
In January the National Anti-Scam Centre launched the 'Stop. Check. Protect.' campaign to encourage Australians to confidently identify, avoid and report scams.
But while Australians appear to be getting the message, scammers are using artificial intelligence to become more sophisticated.
Matt Warren, director of the RMIT University Centre for Cyber Security Research, said scammers are now using AI to polish their messages, eliminating the spelling and grammar mistakes that used to act as red flags. This makes scam emails harder to detect, especially when people are distracted or in a hurry, with Mr Warren noting 'those warning signs aren't as obvious anymore'.
Mr Warren said scammers were already using digital tools to target people at scale, focusing on the 'five per cent or so' of victims who were susceptible to spoof communication.
But Daswin De Silva, professor of AI and Analytics and Director of AI Strategy at La Trobe University said AI was enabling scammers with far more impressive tools, such as the ability to mimic recognisable voices, for fooling potential victims.
'The Qantas attack was likely driven by impersonation attacks or social engineering, and with artificial intelligence, we can do this in droves,' he said.
'We already have examples of deep fakes being used impersonate individuals. These attacks are not that sophisticated, but the attack surface and the intensity and complexity of the attacks definitely can increase with AI.'
As companies collect more and more consumer data in pursuit of increasing levels of personalisation, the threat expands.
'Companies will use AI to determine certain buying patterns, certain behaviours, but AI can also be used to derive more personalised information than what we would have typically disclosed to a commercial organisation,'Mr De Silva said.
'So there is also that risk that with increased data collection about us and how we live, scammers can develop more ways to trick us.'
Mr De Silva said Australia lagged the European Union, which had introduced the General Data Protection Regulation in 2018 which gives individuals more control over how their personal data is collected, used, and stored, and imposes strict rules on organisations that handle such data, including third parties.
It also makes companies accountable for infringements, with fines of up to 4 per cent of annual worldwide turnover. In the US, which is far more supportive of innovation than regulation, data protection is governed by a patchwork of Federal and State laws.
'We want to be in the middle between the EU and the US, where there is a healthy balance of supporting, enabling innovations, but also securing and looking after the rights, the privacy, the confidentiality of individuals,' Mr De Silva said.
It is not just individuals that were at risk from identity theft, with government transfers an increasingly lucrative scam for criminal gangs.
Last week the Federal Bureau of Investigation announced it had seized $US245m and charged hundreds of citizens and medical professionals as part of a widespread identity fraud targeting the US healthcare system that may have resulted in as much as $US15b in losses.
Mr Warren said Australia's Medicare system would be a valuable target using similar identity theft techniques.
The attack on a third party provider also called into question the security processes expected by companies looking to outsource costly activities like call centres, to providers who may not have made the appropriate investment in their systems.
Mr De Silva said stronger regulation could help close cybersecurity gaps by requiring third-party technology providers to meet minimum standards, including mandatory audits and system checks, training, and hiring practices.
'There is definitely opportunity for tighter regulation that ensures the safety of data and individuals,' he said.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Sky News AU
7 hours ago
- Sky News AU
‘She's hopeless': Pauline Hanson says eSafety Commissioner should be sacked following loss of landmark censorship case
One Nation Leader Pauline Hanson says eSafety Commissioner Julie Inman Grant should be 'thrown out of the job' following the Commissioner's recent track record, including losing a landmark case to a prominent Canadian activist. Chris Elston, known online as 'Billboard Chris', and Elon Musk's X prevailed in a major case against the eSafety Commission and transgender activist Teddy Cook on Tuesday following a ruling by the Administrative Review Tribunal. The ruling rescinded a takedown order issued by the eSafety Commissioner over a social media post by Mr Elston from February last year. In the post, the activist slammed a move to appoint Cook to a World Health Organisation panel drafting policy on caring for transgender people. Ms Inman Grant has also come under fire for advising Communications Minister Anika Wells to include YouTube in a social media ban for under 16s – which is set to come into effect from December 10. Ms Hanson has called out Ms Inman Grant in the wake of the Administrative Review Tribunal case ruling, claiming the commissioner is 'incompetent' and 'shouldn't be in the job at all'. 'By looks of it, she's a person pushing her own ideology, her own agenda, and she gets it wrong every time. She doesn't get it right, and it's been overturned that many times," Ms Hanson said told Sky News host Rowan Dean on Friday. The Queensland Senator also slammed Ms Inman Grant for seeking to have YouTube included in the social media ban, a move which Ms Hanson said she opposed. 'A lot of kids get some good information from YouTube. So I think that it's just gone too far, I think she's out of her depth, I don't think she knows what the hell she's doing.' She commended Mr Elston for winning the case against the Commission. 'I wish she'd ... be thrown out of the job. She's hopeless, useless,' Ms Hanson said. revealed on Thursday that about $66,000 of Australians' taxpayer dollars were spent on the eSafety Commission's legal costs to date in its defeat to Mr Elston and X Corp. 'eSafety notes the Administrative Review Tribunal's decision to set aside eSafety's decision to give a removal notice to X Corp relating to a post on X by Mr Elston," an eSafety spokesperson told 'This is the first case before the Tribunal seeking review of a decision where eSafety assessed the material met the criteria for adult cyber abuse.'
West Australian
8 hours ago
- West Australian
Herd on the Terrace: Roger Cook might be walking on a nightmare with 'Made in WA' pledge
The Bull has been pondering whether Roger Cook is walking into a nightmare thanks to his government's obsession with making stuff in WA. Cook was out of the frying pan and into the fire this week after revelations the next Tourism WA advertising campaign will be partly produced on the east coast. Procuring elaborate visuals of flying whale sharks from elsewhere would ordinarily not be especially unusual, given Western Australia has three million people and a reasonably small film industry. But the government has walked (on a dream) into a locally-built mess given 'Made in WA' was their flagship pledge in a thumping March State Election victory. When mission-critical manufacturing jobs including buses, power line towers and batteries must be assembled in the State — at great expense — artists would be fair enough to ask why there are no such requirements for creative work. Then where does it end? Stand down, BHP's fly-in, fly-out work force, Rita Saffioti wants you in Neerabup slapping together over-priced refrigerators. Petroleum engineer? Not any more! Off to Bellevue to join local procurement champions Alstom. The French company will bank $1.4 billion to make the new Metronet C-Series rail cars in India, ship them to Perth, and add a few highly uncomfortable seats in a warehouse. Hope you know how to hold a welding torch! The new trains are a true tribute to globalisation, although the local union movement would never admit that. When 'Made in WA' is your biggest promise, it becomes the metric by which every decision will be judged. We may have a shortage of workers in WA but there's never a deficit of political over-commitment. Just when you thought the so-called national carrier was cleared for reputational take-off, cyber criminals have aimed their keyboards at Qantas. Close to six million Australians were in fear that their frequent flyer points had been siphoned off to Nigeria this week when the Flying Kangaroo revealed a major data breach. Thankfully, the government-protected airline promised customers 'no frequent flyer accounts were compromised', just personal identity details. All good then! Why bother stealing all those hard-earned points anyway, given they would probably expire before arrival. The hackers are as yet unknown but The Bull expects they will soon release the membership list of Qantas' infamous Chairman's Lounge as proof of life. When director Todd Sampson — who parachutes off the board at the end of the month — hosted the 2016-2020 TV show Body Hack, we can only assume Qantas did not intend the title to be taken literally. We hope Todd can imitate Liam Neeson and personally track down Australia's Taken passport details. Recent openings in two of WA's top lobbying jobs will mean anyone who's ever been in a photo with the Artful Roger will want to put their hands up for the prized positions. Plenty of eyes are on Association of Mining and Exploration Companies boss Warren Pearce as a top option to replace Chamber of Minerals and Energy chief Rebecca Tomkinson when she jets off to a lucrative London trade gig. Also hunting for new hires will be the Chamber of Commerce and Industry WA, thanks to the swift departure of fly-in, fly-out boss Peter Cock after just four months. A tenacious orator, Pearce made a name for himself for scoring tax production credits (or taxpayer handouts, depending on your persuasion) for the State's critical minerals battlers, and is regarded as a tactful treader between business and government. The CME job requires ensuring powerful members — such as Rio Tinto and BHP — have their needs heard loud and clear at the cabinet table. And we wouldn't want these multibillion-dollar multinationals left without a voice. Alas, word is the lobbyist has actually started to turn a shade of cerulean denying his interest in the role, and is dead set on staying put . . . really.
Herald Sun
8 hours ago
- Herald Sun
Qantas CEO Vanessa Hudson regret over Scattered Spider cyber attack
A cyber attack was the furtherest thing from Vanessa Hudson's mind, as she enjoyed her annual leave far away from the New South Wales' 'bomb cyclone' for the heatwave of Europe. But that quickly changed on Monday after a phone call from a fellow executive telling the Qantas CEO 'suspicious activity' was detected on a database where the details of six million customers were stored. 'As soon as I heard the breach had happened, I stopped everything I was doing and I connected with the team and was leading our response,' said Ms Hudson from London. 'All our focus was understanding what occurred, and the time gap between communicating to customers was so we could advise with 100 per cent confidence that no passport details had been breached, no credit card numbers and the Frequent Flyer system was completely secure.' A statement to the ASX and the media was released Wednesday morning, outlining the attack had accessed customers' names, birthdates, phone numbers, email addresses and loyalty numbers — enough information to cause anxiety for the millions affected. What made it worse was the US Federal Bureau of Investigation had issued a warning three days beforehand that hacker group Scattered Spider was targeting the aviation community, with attacks on WestJet and Hawaiian Airlines. Ms Hudson said that warning had been communicated by Qantas to its call centres on Friday June 27 — apparently to no avail. 'Unfortunately the cyber criminal in this instance was able to gain access to what is a customer service platform and that was following an interaction with a call centre operator (in Manila),' she said. 'I'm sure you would appreciate that we really do want to avoid further action by other cyber criminals so I have felt that it's important not to provide a lot more of the specificities around what's occurred.' While she does not want to attribute blame, various cyber experts have highlighted striking similarities between Scattered Spider's MO and the Qantas infiltration. The criminal organisation is believed to have evolved from a group of young people trading secrets on social media for how to cheat playing video games, to something much more sinister. 'The group is notorious for targeting large enterprises — often by exploiting IT help desks via social engineering,' said Rapid7 senior director of threat analytics Christiaan Beek. 'Their end goals are typically data theft and extortion. In some intrusions, they have partnered with or acted as affiliates of ransomware gangs.' Unlike the Medibank cyber attack in late 2022 which was attributed to Russia's Aleksandr Ermakov, Scattered Spider's members came from the US, UK and Canada. Okta's Brett Winterford said the group is not only motivated by profit but the 'desire to score a big win that impressed their peers'. Only last month, Scattered Spider targeted retailers including North Face, Cartier and Victoria's Secret, following on from a spate of attacks on UK retailers Harrods, Marks & Spencer and Co-op. US insurers including Aflac, Erie Indemnity and Philadelphia Insurance have also been under siege from the group — all hit in what appeared to be co-ordinated attacks during a five day period last month. As yet Qantas has received no ransom demand, nor has the stolen information been shopped for sale on the dark web. But that's not to say the 6 million individuals caught up in the attack are in the clear — and Ms Hudson stressed that vigilance was critical. 'That is obviously the reason why we acted so quickly and so transparently with our customers,' she said. Within hours of the suspicious activity being confirmed on Monday, Ms Hudson said she notified her chair, John Mullen, and the government. 'We are continuing to work really effectively with the government cyber teams and also the AFP because this is a criminal matter,' she said. Experts agreed that Qantas customers risk being targeted by follow-on social engineering attacks. This includes potential credential stuffing – the same method hackers used earlier this year to siphon hundreds of thousands of dollars of retirement savings from Australian industry super funds. Ms Hudson described her 'concern and great regret' the attack had occurred, but she said Qantas' response would help the airline's mission rebuilding trust. 'Trust is something that has to be earned both in the good times and also in the hard times and I think in the hard times in this context and where we're at, the way in which you continue to support customers being transparent with them, being open and being supportive goes to an important part of customers' understanding that we're focused on them, even in the hard times,' she said. Customers were reassured Qantas' systems were now secure, with more details of the extent of the data breach for individual customers expected next week. Until then Ms Hudson encouraged customers to visit the Q&A on the website and app, and call the customer support line. 'I mean this is an increasing global threat for organisations and for all of us in the modern digital world and we have to learn from these events,' she said. Originally published as Qantas CEO's 'great regret' over cyber attack on customer database storing personal details
