5 hours ago
2
Qantas customers affected by the data hack could ultimately be entitled to compensation if the airline were found to have breached passenger privacy, experts say.
A week after Qantas disclosed the loss of data of up to six million customers, consumer law experts say the airline could ultimately face penalties, if a series of conditions are met.
Uncertainty remains over details around the Qantas frequent flyer data breach.Credit: Tamara Voninski
Qantas detected unusual activity on a “third-party platform” used by the airline’s contact centre in Manila early last week, prompting an investigation, which determined customer names, email addresses, phone numbers and birthdates, as well as frequent flyer numbers had been accessed, through a third-party vendor to Qantas.
The airline disclosed the breach, which has been suspected to be the work of a criminal cybergang called Scattered Spider.
On Monday, Qantas said “a potential cybercriminal has made contact” with the airline, saying it was “working to validate” the communication. Cybersecurity officials fear the data could ultimately be used as ransom.
Loading
The uncertainty over the status of customer data highlights the volume of data held by Qantas.
Maurice Blackburn class action lawyer Lizzie O’Shea, who specialises in privacy issues, said: “Qantas is a holder of a very significant amount of consumer information, involving huge amounts of data that are used for all sorts of purposes, including profiling consumer behaviour.”
Australian privacy law requires an entity to take reasonable steps to protect customers’ information from misuse and unauthorised access.
The use of the data “may not meet the standards of what most people expect for the way the data is collected and how it’s used,” O’Shea says.
There is no “social license for companies to collect huge amounts of data”, especially as polls show the public continues to show a preference for stronger data protections, she says.
Optus was the target of a class action after a customer data breach.Credit: Eddie Jim
“For that reason, these kinds of data breaches are hugely illuminating for the public. They act as a lightning rod for consumer frustrations, which are usually accompanied by a call for governments to enact stronger privacy laws.”
It’s understood that following the high-profile and damaging hacks of Medibank Private and Optus in 2022, Qantas purged old customer data.
Monash Business School Department of business law academic Dr Aashish Srivastava said: “Under the Privacy Act, if there is a data breach and the customer complains to the Office of the Australian Information Commissioner, and after an investigation the OAIC finds there were privacy breaches by Qantas, as part of that, the OAIC can give the consumer some kind of remedy for any loss or damage suffered as a result of the privacy breach.”
Loading
Under the Privacy Act, the watchdog can impose a range of civil penalties, from a maximum of $2.5 million for an individual and up to $50 million for a company. Optus and Medibank were the target of class actions following their damaging losses of customer data during separate hacks. The privacy watchdog also took civil action against Medibank.
The watchdog conducted a routine review of Qantas’ frequent flyer data management in 2017, finding that while all “personal information is stored in Australia, Qantas frequent flyer use several offshore customer service centres”.
At the time, Qantas conducted “overseas contract staff background checks” and put provisions in employee contracts “related to the handling of personal information”, the OAIC said.
The watchdog in 2019 recommended in the assessment that the Qantas frequent flyer program “develops and implements a privacy management plan that sets out specific goals and objectives for its privacy management with consideration of the specific issues that apply to its operations”.
The Notifiable Data Breaches scheme requires companies to notify the Office of the Australian Information Commissioner and customers “at risk of serious harm from … a data breach”.
Cybersecurity expert Lani Refiti, from national security firm Azcende, said that if a ransom were sought at this point, Qantas’ corporate and government-led cyber response team would have to be in discussions with the attackers.
“No breach of this size is just for giggles,” said Refiti, whose company also provides cybersecurity compliance advisory services.
“The attackers would have to be looking to monetise it in some manner.”
Loading
Scattered Spider has already hit Hawaiian Airlines and Canada’s WestJet this year.
Despite mandatory ransomware and cyber extortion rules coming into effect in May 2025, it’s not clear a ransom attempt has followed Qantas’ data loss.
Cybersecurity company Darktrace’s vice president Tony Jarvis said: “It is notoriously difficult to confirm if and where information ends up on the dark web.
“The group that steals the data is often not the group that directly monetises it – and dark web monitoring only catches things that are sold on open market, essentially marketed for anyone with access to the forum to buy.
“That means if there is already an approved buyer, or a closed network, it will not appear on the dark web,” he said.
The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.
Most Viewed in Business
Loading
