Ebe Ganon says she's disappointed but not surprised by the Qantas cyber attack. Photo: ABC News / Luke Stephenson
Qantas customers say they feel vulnerable, angry and unsupported following last week's major cybersecurity breach, and are now questioning whether the airline is doing enough to protect Australians' personal data.
On Monday night, Qantas quietly updated its website to confirm the airline had been contacted by "a potential cybercriminal" less than a week after the data of up to 6 million of its customers was accessed in an online attack.
The airline said it was still working to verify the legitimacy of the contact and has engaged the Australian Federal Police to investigate.
But Qantas is yet to officially confirm the name of the group that has been able to access passenger names, email addresses, phone numbers, dates of birth and Frequent Flyer numbers.
The airline is also still working to determine exactly what data was stolen for each affected customer.
What we do know is that last week, Cyber X, which is the company called in by the airline to investigate the massive cyber attack, said the incident had all the hallmarks of international group Scattered Spider.
We also know that just days before Qantas says it had detected "unusual activity" on a third-party platform that holds customer data, the FBI had issued a warning that Scattered Spider was planning to target airlines.
Far from a sophisticated attack, cyber experts said one of the hackers likely impersonated an IT or other official, and simply tricked a Qantas call centre worker in Manila to obtain the login details to that third-party platform.
Dozens of Qantas customers have contacted the ABC in the wake of the cyber attack to express their frustration with the airline. Some have since been targeted by scammers or received alerts from online accounts including the federal government portal myGov.
Canberra-based disability advocate Ebe Ganon said she received a scam call from someone pretending to be from Qantas Money the same day the company confirmed the breach.
"He was purporting to be alerting me of three suspected fraudulent transactions, and those transactions were really tailored to my shopping and purchasing habits."
Qantas is yet to officially confirm the name of the group that has been able to access passenger data. Photo: AFP / Saeed Khan NO USE AFTER JULY 12, 2025 02:26:23 GMT
Ganon said the scam caller also referenced a range of different personal information, including her full name, date of birth, the last four digits of her credit card, which suggested he had access to her Qantas customer profile.
"I'm a pretty savvy, you know, technologically savvy person, and it still even took me a couple of minutes to sort of ask him enough questions to be satisfied that it wasn't a legit call."
On Monday, Qantas again stated no credit card details, personal financial information or passport details were stored in this system accessed by the cybercriminals.
However, after also being caught up in the Medibank and Optus data breaches, Ganon is sceptical of Qantas's claim that no financial data was compromised.
"But even if that has come from another source, it points to a much scarier reality.
"I think that many of these scammers are creating composite profiles of people using information from a range of different data breaches and creating profiles where they can then speak to you in a way that's really, really convincing."
Indeed, cyber experts have told the ABC the type of data stolen in the Qantas attack could be very valuable to cybercriminals.
"With this particular matter, the biggest risk coming out of this will not be access to Qantas data specifically, but moreover that those 6 million people will be targeted in related type scams," Stan Gallo, Forensic Services partner with BDO Australia, told ABC News.
"So whether it's myGov, or people contacting individuals claiming they're from Qantas, or from a bank, or from some other institution."
Qantas customers' MyGov accounts targeted
Indeed, the ABC has been contacted by several people caught up in the Qantas cyber attack whose federal government online myGov accounts have been targeted by suspected hackers.
A spokesperson for Services Australia, which manages myGov, was unable to confirm if there had been a spike in fraudulent attempts to access accounts, but said it was not uncommon after a data breach. The spokesperson said there were ways for users to protect their personal information.
Adelaide-based customer Jack Allison said he received an alert from myGov at 6:30pm - right about the time Qantas emailed him to confirm his personal data had been caught up in the breach.
"They guessed five passwords before being locked out," Allison told ABC News.
"Once they're inside myGov, they'd be able to access people's tax records, their medical history, it's not good."
He said he's disturbed by Qantas's offshore handling of sensitive data.
"I deeply dislike that personal information is being handed across the globe without my knowledge and consent. I want stronger safeguards for my personal information and the personal information of my family.
"I can't go and change my name or my date of birth or my address, and I think it's they're just not treating this with the level of respect that it deserves."
Calls for a bigger stick to protect customer information
It took Qantas CEO Vanessa Hudson until Thursday night to give an interview following the cyber attack. She spoke to one media outlet from her holiday in Europe. Other media, including the ABC, were not given advance warning of the interview so were unable to put questions to the airline's boss.
While customers are calling for stronger protections, lawyers said current privacy laws offered limited paths to justice - and were badly in need of reform.
Lizzie O'Shea says Qantas could face legal action from customers affected by the cyber attack. Photo: ABC News / Billy Draper
Lizzie O'Shea, principal lawyer at Maurice Blackburn, said affected individuals can currently make a complaint to the Office of the Australian Information Commissioner, but that process is slow and often overwhelmed.
"There is a process that they go through to determine whether you've experienced any harm and you can be awarded compensation," O'Shea said.
"One of the problems with that scheme is that the commissioner's office is overwhelmed by complaints of this nature."
O'Shea said one key solution is introducing a "direct right of action" - so individuals can take companies like Qantas straight to court.
"That means that instead of going to the commissioner, where the process can be slow, you have a direct right of action to go to court. That means you can sue companies that have mishandled your information and obtain compensation."
She said there was an urgent need to reform the Privacy Act.
"Because at the moment companies can have these data breaches occur and there may not be a clear remedy or a pathway to getting the result for people who are harmed, and I think most Australians think that's not good enough."
She said this type of large-scale breach is exactly the kind of case that could justify a class action - if the law made it easier.
"In this kind of circumstance, where there's 6 million people potentially affected, it is a vehicle for a class action if you have a direct right to go to court.
"That would get the kinds of results that I think people expect in these circumstances and it would also act as a deterrent to make sure companies treat information really carefully, with the risk that they might be having to face court if they don't."
Until that happens, Qantas customer Ebe Ganon said large corporations would continue letting customers down - without consequence.
"So I think my expectations are low. I'm disappointed but not surprised."
- ABC
