Details sent to someone else.

[SandyS]

Potentially, that person, had they chosen to look, had access to all parties on that booking, names, FF numbers and contact number. Should I be worried?




We’re getting in touch to advise that due to human error your Qantas booking reference and name were accidentally emailed to another passenger.

What happened?

The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required.

The mistake was detected just over one hour after the email was sent. As a precaution, we changed your booking number to close the loophole that had been created.

The receiver of the email could have used your name and booking reference number to access and view your booking via Qantas.com through the Manage My Booking function between the time the email was sent and when we changed your booking reference. You will have received a new ticket when this was done.

Your payment details were not able to be accessed at any time and we are confident no changes were made to your booking.

We conducted an investigation into this error and have put in procedures to ensure it does not happen again.

Why are you telling me now?

Given your name and booking reference were only sent to one person, and the loophole has since been closed, we do not believe there is particular cause for concern. However, we are proactively notifying impacted customers because we take your privacy very seriously and we want to apologise to you.

If you haven’t completed all your travel associated with this booking, please check your email for a new itinerary and booking reference. Please note that all of your flights remain the same and no other action is required in relation to your travel. You will need to use the new booking reference to access your booking via the Manage My Booking function on Qantas.com.

 

[juddles]

Wow. Can you give some more background to what appears to be your display of an official Qantas email?

 

[SandyS]

Wow. Can you give some more background to what appears to be your display of an official Qantas email?

I received the email from Qantas today. I can't be the only person this happened to as the mix up was through Qantas warning people about the delays at Tullamarine due to roadworks.

 

[puppysparkes]

From the response you've posted almost all risk has been mitigated.

The only other step Qantas could have taken, is to have the recipient confirm by reply email, that they deleted the email from their inbox and deleted items.

 

[straitman]

Potentially, that person, had they chosen to look, had access to all parties on that booking, names, FF numbers and contact number. Should I be worried?


We’re getting in touch to advise that due to human error your Qantas booking reference and name were accidentally emailed to another passenger.What happened?The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required. The mistake was detected just over one hour after the email was sent. As a precaution, we changed your booking number to close the loophole that had been created. The receiver of the email could have used your name and booking reference number to access and view your booking via Qantas.com through the Manage My Booking function between the time the email was sent and when we changed your booking reference. You will have received a new ticket when this was done.Your payment details were not able to be accessed at any time and we are confident no changes were made to your booking. We conducted an investigation into this error and have put in procedures to ensure it does not happen again. Why are you telling me now?Given your name and booking reference were only sent to one person, and the loophole has since been closed, we do not believe there is particular cause for concern. However, we are proactively notifying impacted customers because we take your privacy very seriously and we want to apologise to you. If you haven’t completed all your travel associated with this booking, please check your email for a new itinerary and booking reference. Please note that all of your flights remain the same and no other action is required in relation to your travel. You will need to use the new booking reference to access your booking via the Manage My Booking function on Qantas.com.

Wow not very good but at least they came clean about it.

I would keep an eye out to see if anything happens to anyones accounts. Qantas has accepted that they caused the issue so it would be unto them to fix anything that may occur.

If in doubt you could get people to change their pin numbers but as no one ever had them that really should not be an issue.

To answer your question though I wouldn't overly worry other than just keeping a watch on their accounts.

 

[chrispy3276]

I was also impacted by this - received the above e-mail, as well as one a couple days before my flight with an incorrect name (I didn't think to check the booking reference - didn't realise it wasn't mine). I also lost my seat preference as a result of the re-booking (ended up at the back of the plane as opposed to Row 5 which had been selected prior).

Was confused as to why I had received what looked like a new booking just hours before my flight with no explanation - seemed a bit odd.

 

[Bundy Bear]

I about 5 years ago was making bookings for other people and well in one of the bookings I was doing I used the wrong email, Qantas phoned me and said I had sent it to the wrong email address. oops.

Seems like in this case its possible another person with a similar name phoned up to check a flight and Qantas sent that person your booking details by mistake, so the easiest way was for Qantas to change the PNR.

 

[Matt_01]

I would treat any message like this with caution. You are being asked to log into a link provided within the email. Without seeing the entire email it may be phishing attacks. I would inspect the links and check out the sender details. Also I would not log in via the link, rather go direct to QF website and then log in. If you are still uncertain call QF and ask if they sent it.

Also normally when something changes in a booking an automatic email is sent to you e.g. schedule changes. In this case you have a new booking reference, I would have thought this would have trigged an automated email. I am paranoid with email security, there are some excellent hackers out there that just cast a wide net and catch a few off guard.

There was a thread the other day discussing accounts being hacked.

 

[ajd]

That's not fantastic, but as others have said at least they've noticed it and mitigated it. One wonders how many other times something like this has happened and gone unnotified.

Of course, the proper AFF thing to do here is to demand points in compensation, is it not?

 

[RooFlyer]

I would have asked Qantas to send me a copy of the e-mail that was sent to the third party, so I could judge for myself how serious the mistake was / could become.

This bit:

The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required.

... is rather disingenuous I believe. Qantas could not know how many people had access to the e-mail address that was used. How could they determine who 'received' the e-mail ... either the first time, or if it was forwarded to other people? What they meant to say that it was only sent to one e-mail address; we know QF has problems with grammar and such.


As an experiment, I just went into Qantas MMB with a forward booking ref and my surname.

After getting in, it displayed my e-mail, phone contact details and my FF status - I was not logged in.

So, could the third party receiver also see these details, if they logged in with the OP's original booking ref and name, in the one hour period available? If so, has Qantas being totally frank with the OP and others in the same boat? They should be able to determine if the booking was accessed in that hour period.

If I were the OP, I would take this further with Qantas - from the point of view of them not really knowing who/how many people received the e-mail and the fact that changing the flight reference may be the least of the issues. Put a marker down in case something happens in the future.

 

[aussiel]

After getting in, it displayed my e-mail, phone contact details and my FF status - I was not logged in.

International bookings may also contain date of birth and passport number if APIS is entered.

 

[puppysparkes]

OP can make a complaint to the OAIC
https://www.oaic.gov.au/individuals/

However unless it is a mass breach I wouldn't expect a prompt response.

 

[Jack_OC]

I received the email from Qantas today. I can't be the only person this happened to as the mix up was through Qantas warning people about the delays at Tullamarine due to roadworks.

I about 5 years ago was making bookings for other people and well in one of the bookings I was doing I used the wrong email, Qantas phoned me and said I had sent it to the wrong email address. oops.

Seems like in this case its possible another person with a similar name phoned up to check a flight and Qantas sent that person your booking details by mistake, so the easiest way was for Qantas to change the PNR.

I got exactly the same email today, so I think it was something a bit more systemic than someone with a similar name phoning up. And this prompted me to go back and look at the email that I received about this issue on the day in question, and guess what, it contains someone else's name and booking ref. So I'm starting to think that they sent everyone with a booking that might be affected by the freeway closure a "personalised email" with the wrong person's details in it! It's pretty bad in any case.

EDIT: although the email states "As a precaution, we changed your booking number to close the loophole that had been created", that does not actually seem to have happened. I was going on a day trip on the day in question, and the email was sent less than an hour before my outbound flight, so I was already airborne before they would have taken any action. I had also already checked in for the return leg on my phone, and there was no need to get a new BP or anything, nor did I get any notification that my PNR had changed.

 

[puppysparkes]

I would have asked Qantas to send me a copy of the e-mail that was sent to the third party, so I could judge for myself how serious the mistake was / could become.

This bit:


... is rather disingenuous I believe. Qantas could not know how many people had access to the e-mail address that was used. How could they determine who 'received' the e-mail ... either the first time, or if it was forwarded to other people? What they meant to say that it was only sent to one e-mail address; we know QF has problems with grammar and such.


As an experiment, I just went into Qantas MMB with a forward booking ref and my surname.

After getting in, it displayed my e-mail, phone contact details and my FF status - I was not logged in.

So, could the third party receiver also see these details, if they logged in with the OP's original booking ref and name, in the one hour period available? If so, has Qantas being totally frank with the OP and others in the same boat? They should be able to determine if the booking was accessed in that hour period.

If I were the OP, I would take this further with Qantas - from the point of view of them not really knowing who/how many people received the e-mail and the fact that changing the flight reference may be the least of the issues. Put a marker down in case something happens in the future.

The response that OP posted is the correct format for disclosing privacy breaches. Full open disclosure is required in those circumstances. Failure to do so can incur financial penalties from the OIAC. You won't find anything different from the source email.

In those situations you're totally relying on good will from the recipient. There's no real way to determine if they have deleted or forwarded the email. Even if they do reply stating in writing stating they have.

 

[RooFlyer]

The response that OP posted is the correct format for disclosing privacy breaches. Full open disclosure is required in those circumstances. Failure to do so can incur financial penalties from the OIAC. You won't find anything different from the source email.<snip>

I don't really understand that.

The response that OP posted is the correct format for disclosing privacy breaches.

and

Full open disclosure is required in those circumstances.
(my bolding)

... appear to be contradictory if my experiment is the norm. If so, "Full open disclosure" would require notification that the OP's e-mail and phone numbers may have been accessible by the e-mail recipient, or anyone with access to the e-mail, OR at least notification that it was a possibility, wouldn't it? "Full open disclosure"

<snip>
In those situations you're totally relying on good will from the recipient. There's no real way to determine if they have deleted or forwarded the email. Even if they do reply stating in writing stating they have.

Exactly -that's why Qantas' quoted statement:

The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required.

... is all the more risible.

 

[puppysparkes]

I don't really understand that.

The response that OP posted is the correct format for disclosing privacy breaches.

and

Full open disclosure is required in those circumstances.
(my bolding)

... appear to be contradictory if my experiment is the norm. If so, "Full open disclosure" would require notification that the OP's e-mail and phone numbers may have been accessible by the e-mail recipient, or anyone with access to the e-mail, OR at least notification that it was a possibility, wouldn't it? "Full open disclosure"



Exactly -that's why Qantas' quoted statement:

The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required.

... is all the more risible.

This is true. My oversight on the lack of QF details.

 

[puppysparkes]

I don't really understand that.

The response that OP posted is the correct format for disclosing privacy breaches.

and

Full open disclosure is required in those circumstances.
(my bolding)

... appear to be contradictory if my experiment is the norm. If so, "Full open disclosure" would require notification that the OP's e-mail and phone numbers may have been accessible by the e-mail recipient, or anyone with access to the e-mail, OR at least notification that it was a possibility, wouldn't it? "Full open disclosure"



Exactly -that's why Qantas' quoted statement:

The personalised email was sent incorrectly to only one person and Qantas is able to determine who received the email in the unlikely event that any further action is required.

... is all the more risible.

I think both you and Qantas did identify the same error:

"The receiver of the email could have used your name and booking reference number to access and view your booking via Qantas.com through the Manage My Booking function between the time the email was sent and when we changed your booking reference. You will have received a new ticket when this was done".

 

[Jack_OC]

Fortunately the relevant booking in my case was just a domestic one, but I have just checked forward international bookings via MMB (without logging in) and I was able to see all of the information that I have entered into APIS - i.e. date of birth, passport details, address where I will be staying O/S, etc. I would love to know if QF has taken that into consideration for people who were flying internationally on the day in question.

Naturally I'm not very pleased if someone else got hold of my FF number, email and phone number, but the APIS info would have been a lot worse. I think I will be getting on to QF about this and asking them to provide a bit more clarity about exactly what went on.

 

[SandyS]

Same for me. It was luckily just a domestic booking so I called Qantas who really just seemed to downplay the whole thing.

Mistakes are made, I get that but as others have said, you can't know who else could have seen that email. My domestic booking was never changed that I noticed. I checked in for my original trip with the same seats I had chosen. I read the info about the closures but didn't really look at any other info and just deleted the email.

Fortunately the relevant booking in my case was just a domestic one, but I have just checked forward international bookings via MMB (without logging in) and I was able to see all of the information that I have entered into APIS - i.e. date of birth, passport details, address where I will be staying O/S, etc. I would love to know if QF has taken that into consideration for people who were flying internationally on the day in question.

Naturally I'm not very pleased if someone else got hold of my FF number, email and phone number, but the APIS info would have been a lot worse. I think I will be getting on to QF about this and asking them to provide a bit more clarity about exactly what went on.

 

[Jack_OC]

Same for me. It was luckily just a domestic booking so I called Qantas who really just seemed to downplay the whole thing.

Mistakes are made, I get that but as others have said, you can't know who else could have seen that email. My domestic booking was never changed that I noticed. I checked in for my original trip with the same seats I had chosen. I read the info about the closures but didn't really look at any other info and just deleted the email.

Thanks for this info. I have emailed QF about it. So it seems that neither of us had our booking refs changed or new tickets issued (as the email claimed had happened). This is a major concern for two reasons: 1 - it means the recipient had much longer than an hour to access our details if they wanted to; and 2 - it seems that QF did not actually implement the "solution" that they claimed to have implemented - or at least not consistently.

BTW, I also get that mistakes happen (in general), but I have to say that I do not get how this particular mistake happened. I really can't figure out how they managed to insert the details of a random person's booking into emails sent to others. Can anyone figure out what could have gone wrong here?