Qantas customer passports at risk following frequent flyer cyber theft

Using their access to flight booking data, the employees altered bookings and changed frequent flyer details using a partner airline booking system to send the earned points to an account they controlled.

The theft affected over 800 bookings in July and August 2024 and resulted in passport data being potentially compromised.

“As part of the access they had to do their job, they may have had access to some customers’ passport details,” Qantas told the media.

“There’s no evidence this has been used in any way.”

In August, the two contractors were stopped and suspended, and customers reportedly had their frequent flyer points restored, and bookings fixed.

Despite some reports, Qantas emphasises that the attack was not the result of a cyber attack or hack, but an instance in which employees abused their access.

VIEW ALL

“This was not a cyber hack or data theft, but a case of two rogue employees of one of our suppliers abusing their position to fraudulently steal frequent flyer points,” a spokesperson told media.

“We are not aware of any current bookings impacted. The police investigation is ongoing.

Qantas has reportedly added new restrictions for accessing customer bookings to prevent a repeat incident.

According to The Australian, there are rumours the incident may have affected other airlines within the Oneworld alliance, a global airline partnership between 15 airlines from around the globe that allows customers to accrue and use the same frequent flyer points.

Earlier this year, Qantas suffered a data breach, in which customers attempting to log in to the MyQantas app were logged into other people’s accounts.

Several customers of the Australian national carrier have reported being able to access other customers’ account information, point score, status tier, travel destination and even boarding passes.

“My Qantas app logs me in to a different person each time I open it,” one person told 7News.

“I have access to the booking details, QFF numbers, status, and boarding passes of people I don’t know. Logging out and back in does nothing.”

In addition, customers could reportedly change a customer’s seats, cancel their flight altogether or book an entire new flight under their name.

“I was able to access full booking details, including the ability to cancel someone’s flight to Europe,” said another customer.

Qantas quickly restored the app the same day and confirmed that no financial information was visible, and customers could not use other people’s boarding passes to board flights.

While the cause of the incident was originally unknown, Qantas today (3 May) released a statement confirming that a cyber attack was not responsible and that a technical issue was to blame.

“On Wednesday, we experienced an issue with the homepage of the Qantas App. We want to apologise to all our impacted customers and assure you that the app is stable and operating normally,” Qantas said in a letter to its customers seen by Cyber Daily.

“We have now identified the root cause and can confirm that this was a technology issue, and there is no evidence of a cyber incident.”