9 hours ago
3
It wasn’t quite the same drama Kiefer Sutherland’s fictional character, Jack Bauer, endures in the TV series 24, but Qantas boss Vanessa Hudson has just had her own little adventure tackling cyber criminals.
Ten days ago, while holidaying with her family in Greece, Hudson received the call from a senior executive holding down the fort in Australia. It was an early morning call for Hudson, and the news was grim.
Qantas’ system had been breached by cyber criminals. It was the first crisis under Hudson’s watch, and her holiday was over as round the clock management of the crisis kicked in.
The data breach was bad enough, but how Qantas would handle the situation was a key object of interest for customers, the media, the government and the airline’s board. To say nothing of the elites – from the likes of the prime minister to the chairman of BHP – given some members of the Chairman’s Lounge had their details stolen.
Qantas chief executive Vanessa Hudson said the airline was treating the cyber hack “incredibly seriously”.Credit: Eamon Gallagher
A response team was quickly assembled, with members from the IT, Frequent Flyers, communications and government relations divisions all pitching in. For the next 72 hours, Hudson held a series of meetings with the response team, the board and the government, including the federal Transport Minister, Catherine King.
“As soon as I was contacted I dropped everything, this was 100 per cent of my focus – responding to the team,” Hudson said.
In the early hours of the drama, what had been stolen and how many and which customers had fallen victim wasn’t known. She said that in the first 24 hours, the first and most immediate task, was to secure the system and lock out the cyber criminals.
Once done, the next task was to access what information was contained in the breached system and which customers were affected.
From the Qantas customer management perspective it was equally important to find out what information wasn’t compromised. Luckily hackers had stolen no passport or credit card details, but addresses, phone numbers and frequent flyer numbers of millions of customers were now in a criminal database.
Nailing down that damage assessment took Qantas 24 hours. Then began the task of letting customers know. First Qantas contacted all Frequent Flyer customers, regardless of whether their details had been compromised. Next came the more unpleasant task of letting affected customers know about the hack.
Loading
On Wednesday, a week after the initial announcement, Qantas sent out a more refined set of emails to various customer sets, letting them know what pieces of information had been taken from them. Those least affected (including me) had their name and frequent flyer number stolen.
Those that experienced a more invasive theft had in addition to the above, their home or business addresses, phone numbers, birthdates, gender and even meal preferences accessed by the hackers. (Vegetarians, celiacs and lactose avoiders be aware – your secret may find its way to the dark web.)
Hudson, who has been criticised for remaining in Europe in that crucial 48-hour period, told this masthead that she didn’t want to be on a flight during the initial, intense phase of the response, citing that she wanted to be contactable by phone.
She remained on the ground until the 72-hour period had passed and then returned to Australia.
Loading
Hudson also said that lessons had been learned from the high-profile cyberattacks mounted against Optus and Medibank Private in 2022 – in particular the need to cut down how long Qantas holds on to sensitive data like passport numbers in its databases. Qantas doesn’t keep them for long, which is one reason why no passport data has seemingly been stolen.
Earlier this week, Qantas told the market it had been approached by a hacker claiming responsibility for the attack but released no further details given the matter was in the hands of the police.
However, you would have to assume that a ransom was sought given thieves rarely make social calls. And the best guess is that Qantas won’t be paying the criminals anything.
It has been widely speculated that an aggressive hacking group known as Scattered Spider is the culprit. It is the cyber criminal de jour for the aviation and retail industries across the UK and the US but the true identity of the hackers or hacker may become clearer after a thorough investigation.
All in all, things could have been much worse for Qantas, but Hudson would be aware that any company whose systems are broken into by cyber criminals tends to wear that stain for a while, and questions will be asked about the airline’s security measures.
Qantas, under Hudson, has had plenty of practice placating miffed customers and the hack means the airline will probably need to put that practice back into action, at least until the storm blows over.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
Loading
