Points stolen from 1000 QFF members by overseas contractor

[Boeyn]

https://www.theaustralian.com.au/business/aviation/qantas-frequent-flyer-customers-caught-in-major-cyber-theft-as-police-called/news-story/295aabdaffa10773d2f7f1f33f702152

I don’t even understand how this kind of hack can be pulled off by a ground handling company. Surely they would only need to access bookings via the GDS - not internal QF systems that include points-based functions?

<summarised> Full article text below.

Nearly 1000 Qantas customers have been caught up in a major cyber theft after an Indian company stole frequent flyer points in a serious breach of the airline company’s IT systems.

The Weekend Australian can reveal two third-party airport contractors in India have been suspended by their employer for inappropriate conduct, which involved accessing and making unauthorised changes to Qantas customer bookings. ...
...
Qantas said the fraud occurred because it operates flights to India where it uses a ground handling operator. It alleges staff at the local ground handling operator were able to access bookings – unrelated to India flights – and steal passengers’ information.
...
The alleged thieves used booking reference numbers and customer names to steal points. However, other sensitive personal data including passport details and date of birth would have been available on the Amadeus booking system. It is unknown if this information has been mis-used.

Customers caught up in the hack have not been notified by Qantas and the airline has yet to issue a public statement.
...
When Caitlin* and her husband went to check in for a $20,000-plus business class flight to London this August, the night before their flight they were concerned to discover their bookings were not showing up in the Qantas app. The booking was made through Qantas and did not involve flights with any other airlines.

“My first thought was there was a hacking event at Qantas,” Caitlin said.
...
After a frantic phone call on the day of travel with a Qantas offshore call centre; “the women I spoke to tried to question whether we had somehow just created brand new frequent flyer numbers,” Caitlin was finally put through to someone in Australia who fixed the problem.
...
Privately, after Caitlin asked Qantas customer service to find out what had happened, she was told it was likely because she had either clicked on a malware link or that there was a cyber breach at airline alliance Oneworld.

Neither explanation was correct.
...
* Last name withheld

 

[markis10]

If your a gate agent then you would have access to such details and can swap membership data, similar thing happened with flybuys and servo attendants that were not the smartest folk, easily tracked and dealt with in due course.

 

[Melburnian1]

What's concerning is that "Caitlin" was not given the truth when she queried it.

Do we have any confidence Indian police will take any action?

Good expose by 'The Weekend Australian'.

 

[kpro]

It turned out her bookings were still in the system, but the frequent flyer numbers had been changed, which is why the booking did not show up on her Qantas app.

After a frantic phone call on the day of travel with a Qantas offshore call centre; “the women I spoke to tried to question whether we had somehow just created brand new frequent flyer numbers,” Caitlin was finally put through to someone in Australia who fixed the problem.

If your a gate agent then you would have access to such details and can swap membership data, similar thing happened with flybuys and servo attendants that were not the smartest folk, easily tracked and dealt with in due course.

If all they did was access the booking and change an FF number to a newly created one, then I don't think they need access to Amadeus, a GDS or Qantas internal systems at all.

Not that I'm saying some internal system wasn't used for this attack, but you can grab the PNR from the barcode on a boarding pass can't you? Then update the FF number through Finnair or similar. And so many people still post pictures of their boarding passes on socials.

 

[moa999]

I can understand people creating new fake accounts for pax travelling without a FF numbers.
(Similar to various retail employees who may swipe their own loyalty cards - generally instant dismissal).

But to actually try and switch out a genuine account, seems crazy.

 

[Melburnian1]

What's most concerning about this cyber breach is Qantas' failure to inform 800 passengers affected.

You'd think with all the egregious behaviour the company has been brought to account for, with at least one significant matter still to be finalised by a court, QF would have learnt its lesson.

Instead, it hides this breach of passengers' private details until confronted by a journalist.

Has anything actually changed under Vanessa Hudson's leadership?

 

[kangarooflyer88]

Instead, it hides this breach of passengers' private details until confronted by a journalist.

Presumably failure to disclose such a breach to customers is a violation of Commonwealth consumer privacy law and actionable through tribunals such as the information commissioner, and also as a matter in civil and criminal court-

-RooFlyer88

 

[SYD]

Isn’t this the same thing that’s been happening with QR and slightly ironically syphoning points off to bogus VFF accounts?

Not exactly “hacking” - just theft of points. Would QF even known about a FF number being changed? Lots of peeps here (and FT) ask about changing FF details at the airport…

 

[madrooster]

This has been ongoing for a while now across a number of carriers... the ones that I'm aware of are QF, AC, SQ, QR ... possibly others. Essentially they pinch the booking reference/pax name and then go and change the FF number to a newly created FF account in the pax's name, then they steal those earned points, hoping the pax didn't notice that the FF number has been changed.

QR recently heavily locked down the ability to change FF numbers online for this very reason, and I suspect others may follow suit in due course as it is becoming quite rampant.

 

[p--and--t]

What's concerning is that "Caitlin" was not given the truth when she queried it.

Do we have any confidence Indian police will take any action?

Good expose by 'The Weekend Australian'.

At the point in time she enquired, how are you so sure the actual problem had been identified?

From experience working in the IT field you are stabbing in the dark as to the cause of an issue until enough examples are found to come to a root cause.

Asserting QF lied to her is drawing a veeeerrrrryy long straw.

 

[Lynda2475]

Although QF overseas call centres have plenty of form in making up/lying to customers We see on this forum regular posts re wrong information re OWAs in particular.

I also work in IT field and understand it can take some time to identify the root cause, but standard practice is to record the incident and forward to appropriate team for investigation, then ensuring someone comes back to the customer, not guessing the root cause or making something up.

Reading this did make me pop in and check all my future bookings were still there.

 

[encryptededdy]

If all they did was access the booking and change an FF number to a newly created one, then I don't think they need access to Amadeus, a GDS or Qantas internal systems at all.

Well, it seems like they are accessing future flights as well and changing the FF number on those flights (that was the incident in the article), so they'd need access to the GDS at least, right? It makes sense as, I think check-in agents can pull that info up.

With that said, the whole PNR/Surname system used by GDSes is not very secure to begin with and the system was probably never really designed with the idea that an agent with system access would be a bad actor. Will be interesting to see where this goes.

What's next, airport staff selling the passenger manifest with everyone's phone number to a bad actor so they can send scam SMSes to everyone, getting them to call a scam number who will try to charge them a bogus change/airline fee? Oh wait, that most likely what happened here

As discussed in another thread, it is indeed surprising they're targeting customers who have an FF number attached (even if they tend to be the higher value tickets), as they probably would never get caught if they just added FF numbers to bookings without them.

 

[OATEK]

The initial response to "Catlin" just sounds like a typical off the top of the head comment from someone who feels they have to say something. I doubt it would be from a QF script.

This process seems to have been about scooping up points from flights rather than transferring points between members. Presumably they then quickly turn those stolen points into vouchers or toasters.

 

[Cheatah]

If your a gate agent then you would have access to such details and can swap membership data, similar thing happened with flybuys and servo attendants that were not the smartest folk, easily tracked and dealt with in due course.

Would a Indian based gate agent have details of non Indian flights though? The original article states the issue includes non Indian flights.

Regardless, if this impacts EU/UK based passengers then QF could be up against European privacy laws as they have not adequately protected customer data.