Qantas issues statement on glitch exposing personal travel details of Frequent Flyers

Qantas is investigating an app malfunction that leaked users’ travel details, raising data privacy concerns and prompting warnings about potential scams on social media.

Qantas, Australia’s largest airline, is currently investigating a suspected issue within its mobile application which caused a significant privacy breach, exposing the personal travel information of its frequent flyers. The malfunction, identified on Wednesday morning, became publicly known and caused a swift reaction both from the company and users on social media.

The airline has confirmed that the root of the issue might be linked to recent technological updates rather than a cybersecurity attack. The mishap allowed some users of the Qantas mobile app to view other customers’ sensitive information, including names, upcoming flight details, and frequent flyer points balance, among others.

In response to this issue, Qantas issued a statement advising customers to re-login to their frequent flyer accounts after logging out to ensure their information is secure. Further, they moved quickly to rectify the fault and reassured the public that the breach was contained within the app itself, with no other personal or financial information compromised.

However, concerns were immediately raised about the potential misuse of this exposed data. A Qantas spokesman highlighted the risk associated with social media platforms where fake accounts impersonating Qantas appeared shortly after the breach was made public. These platforms, which include mainstream networks like Facebook and Instagram, often become hotspots for scammers looking to exploit such situations by tricking users into divulging sensitive information.

Compounding the privacy issues were matters of security, as the app breach also made it possible for people to see others’ boarding passes. Nevertheless, Qantas has confirmed that there have been no attempts to travel under someone else’s boarding pass.

Dr Muhammed Esgin from the Monash University’s Faculty of Information Technology addressed the gravity of the situation. He emphasised that mobile apps typically need strong authentication measures to ensure that data is accessed only by the rightful owner. The failure in the Qantas app highlights the need for stringent controls and proper authorisation protocols to prevent similar episodes.

Dr Esgin says, “Many companies store customer information in a database and mobile applications need to first authenticate a customer to make sure that it is really the right person being granted access. Then typically the app is allowed to retrieve information from the database about that particular user only and not others, unless permission is granted. The issue seems to be that somehow the app is retrieving private information about other users.

“To prevent such issues, there needs to be proper authentication, authorisation and access control in place. That means we need to make sure that it is really the right person, accessing the right information and nothing beyond what is permitted.

“Unfortunately, these kinds of personal information exposure can be exploited by cybercriminals. It is difficult to measure the extent of the exploitation at this point as we may not be able to fully understand how much sensitive information has been exposed. However, a common strategy of cybercriminals is to use such sensitive information and situations like this to scam users, for example by pretending to be calling/texting/emailing from Qantas or using the sensitive information leaked to present a more convincing scenario to their victims.

“We certainly need better training around cybersecurity and its best practices. The software systems we rely on today are quite complex and minor changes may lead to significant issues. Therefore, we need cybersecurity trained people implementing changes carefully whenever needed under stringent protocols to ensure that inadvertent privacy breaches do not arise.”

As the investigation continues, Qantas has made an official apology to all affected passengers, underlining that the issue has been resolved and asserting their commitment to data privacy and the security of their systems.

Despite assurances, this incident serves as a stark reminder of the risks associated with digital data and the continuous need for vigilance in protecting personal information in the digital age. Cybersecurity practitioners, like Dr Esgin, advocate for enhanced training and better implementation of technological changes to mitigate these risks effectively.

Read the full Qantas statements here.

More News

To Top