Qantas customer data surfaces online after cyberattack

Following a cyber attack at the Australian airline Qantas in July, customer data has now surfaced online. Together with the investigating authorities, the company is still trying to determine exactly what data is involved. Experts attribute the events at Qantas to the Scattered Lapsu$ Hunters cybercrime collective, which recently hit several large companies.

5.7 million customer details were stolen from Qantas at the beginning of July. Most of the data involved names, e-mail addresses and frequent flyer data. However, a smaller proportion of the affected customer data also includes business or private addresses as well as dates of birth, telephone numbers, gender, and food preferences, Qantas announced on Saturday. However, credit card data or passwords were not affected. Frequent flyers do not have to worry about their bonus points, the company assures in customer information.

The airline has now obtained an injunction from the New South Wales Supreme Court, one of Australia's highest courts, prohibiting access to and publication of the leaked data. However, this is unlikely to deter the alleged actors behind the attack: There are indications that these are Scattered Lapsu$ Hunters. A conglomerate of cybercrime gangs is currently blackmailing 39 well-known companies on a darknet leak site. They are demanding that Google Adsense, Salesforce and Adidas, among others, negotiate a ransom. Otherwise, the perpetrators want to publish previously captured data.

Qantas leak: Troy Hunt also pwned

Australian IT security expert Troy Hunt is the creator of haveibeenpwnd.com. The site makes it easy to find out whether your email address has ever been part of a data leak on a website and whether your login details could have fallen into the hands of cyber criminals. Hunt himself has now been caught out, as he confirmed to the Australian television station ABC News: the email address he had stored in a Qantas customer account was also part of the customer data that was circulating.

However, the damage is likely to be limited: Hunt used the affected address exclusively for Qantas. A common practice among IT security experts is to create an email address that is used exclusively for the account on a specific website. If, for example, foreign emails suddenly arrive here or the address appears in entirely different leaks, this can provide indications of compromises or the composition of foreign data leaks.

According to Hunt, the Qantas data has been removed from a website where it was initially available for download. Possibly by order of the court. "But they are already in thousands of hands and will probably just be uploaded to a new service," he said. The proverbial genie is out of the bottle, he said. He advises affected Qantas customers to be even more vigilant against possible phishing attempts. The more a threat actor knows about their victim, the better they can tailor their phishing attacks.

(nen)