Nearly 1000 Qantas customers have been caught up in a major cyber theft after an Indian company stole frequent flyer points in a serious breach of the airline company’s IT systems.
The Weekend Australian can reveal two third-party airport contractors in India have been suspended by their employer for inappropriate conduct, which involved accessing and making unauthorised changes to Qantas customer bookings. The contractors worked for Air India SATS, a joint venture between India’s main airline and SATS, which is Singapore’s biggest ground handling company.
The IT scandal only came to light after one Qantas customer in Sydney complained to this writer that her account had been hacked and the airline had failed to take responsibility for the breach.
Qantas said the fraud occurred because it operates flights to India where it uses a ground handling operator. It alleges staff at the local ground handling operator were able to access bookings – unrelated to India flights – and steal passengers’ information.
Qantas has since referred the attack to local Indian police and admitted customer data has been compromised by the unfolding cyber hack.
Qantas alleges the individuals were fraudulently stealing valuable frequent flyer details in their bookings. The frequent flyer theft has hit several airlines, including around 800 Qantas bookings over several weeks.
“We apologise to our customers who have been caught up in this fraudulent activity, which has impacted a number of airlines,” Qantas said in response to questions from The Weekend Australian.
The alleged thieves used booking reference numbers and customer names to steal points. However, other sensitive personal data including passport details and date of birth would have been available on the Amadeus booking system. It is unknown if this information has been mis-used.
Customers caught up in the hack have not been notified by Qantas and the airline has yet to issue a public statement.
The news will be a blow to Qantas on two fronts. The breach has exposed a serious cyber weakness at the airline at a time when new chief executive officer Vanessa Hudson is pouring money and effort into improving customer experience after several mis-steps, including the ghost flights scandal.
Qantas said that changes to customer details were made using other airlines’ booking systems, adding it had worked with these partner airlines to lock down system vulnerabilities.
“As soon as we became aware of this, we worked closely with our airline partners to secure their systems to prevent this issue from happening again. Customers have received the full amount of points and status credits they were entitled to for their travel.”
And yet it is clear that some – if not all Qantas customers impacted – have not been made unaware by the airline that personal data has been illegally accessed.
When Caitlin* and her husband went to check in for a $20,000-plus business class flight to London this August, the night before their flight they were concerned to discover their bookings were not showing up in the Qantas app. The booking was made through Qantas and did not involve flights with any other airlines.
“My first thought was there was a hacking event at Qantas,” Caitlin said.
It turned out her bookings were still in the system, but the frequent flyer numbers had been changed, which is why the booking did not show up on her Qantas app.
After a frantic phone call on the day of travel with a Qantas offshore call centre; “the women I spoke to tried to question whether we had somehow just created brand new frequent flyer numbers,” Caitlin was finally put through to someone in Australia who fixed the problem.
She and her husband boarded their long-haul flights that day.
They had been hacked.
Privately, after Caitlin asked Qantas customer service to find out what had happened, she was told it was likely because she had either clicked on a malware link or that there was a cyber breach at airline alliance Oneworld.
Neither explanation was correct.
She is still to be told by the airline that her details had been scooped up illegally.
The last time Qantas confessed about a breach was in May when the airline said a “technical issue” with its app was responsible for customers being able to see the booking details of others when they logged in.
The airline was quick to shut down fears this was a malicious cyber breach, saying back then that there was “no evidence” of a cyber incident and it was instead just a problem with its homepage.
The biggest cyber event to hit aviation was the global outage caused by CrowdStrike in July. More than 110,000 flights were cancelled on the day the problem occurred, up from 2000 the day before the event according to data from Cirium.
While all companies can experience cyber attacks, this scandal shows that the company still has issues with offshore customer service call centres. This division of Qantas was in the spotlight two years ago when customers were forced to wait for up to ten hours to speak to an agent.
It also shines the light on how much private data Qantas shares with third parties as a course of business. Qantas said it would continue to work with Air India SATS but now has stricter protocols for the ground handler.