Qantas launches "Aquire" business frequent flyer program.

Status
Not open for further replies.
re: Qantas launches "Aquire" business frequent flyer program.

To be fair, the password isn't visible and - as mentioned in ALH's initial post - the ABN (which was the original ABN entered by the applicant) doesn't match the company displayed upon hitting the "back" button.

But, yeah, I agree. Company name (from which the ABN can be quickly found), the Acquire programme's contact's full name and role (owner/director etc), phone number, email address, Qantas FF number and - most crucially - security question and answer (which would most likely be used to reset the password either online and/or via phone, depending on the procedures established) are details not quite as easily deduced as some self-styled hackers might think.

As well the possible exposure to the Acquire accounts that are in play now, the security questions posed are generic enough that they could conceivably be used to hack other systems as well. Ie, many websites use "Mother's maiden name", "Favourite colour", "Town of birth" etc to enable access in the event of a forgotten password, or even forgotten email address.

But hopefully the exposure was/is minimal and the hole quickly closed.

Correct. Password wasn't visible, and it was my own ABN on display. As I said, I would feel uneasy if my details were available to the next person who logged in.
 
re: Qantas launches "Aquire" business frequent flyer program.

Update: we're in the process of pulling the site down as a matter of urgency until this matter is resolved.

Please be assured that issues relating to safety and security are paramount at Qantas, and any suggestion otherwise is taken very seriously.
 
re: Qantas launches "Aquire" business frequent flyer program.

Pi team have rang back and advised they are aware of the issue and looking at it.

Now surely if they recognise there is a potential security issue then they should have locked down the site o ensure that any potential disclosure is limited and contained, Apparently QF don't think the same way lol
 
re: Qantas launches "Aquire" business frequent flyer program.

Update: we're in the process of pulling the site down as a matter of urgency until this matter is resolved.

Please be assured that issues relating to safety and security are paramount at Qantas, and any suggestion otherwise is taken very seriously.

Red Roo

Thank you for that response which is more reassuring than that of the P1 team
 
re: Qantas launches "Aquire" business frequent flyer program.

In addition if Red Roo and others were making this a priority with IT after identifying a potential security issue then I would have expected QF it to have closed access to the site until they can work out what the hell is going out yet 2 minutes ago I was able to log in and change passwords and other personal details.
I've never worked for Qantas or any airline so the following is all speculation and extrapolation (from having worked at other large companies with mission-critical IT systems).

Qantas would of course have several tiers of IT support staff on duty and/or on call 24/7. However I wouldn't be surprised if this 24/7 availability was restricted to key operational systems only. I would imagine that the Acquire registration system would be classed as a lower-priority Marketing system. As such, it may not have 24/7 support available for it.

And even if there was somebody responsible for it at 9 pm (east coast time) it would probably be someone who's not senior enough to have the authority to take the system offline. So Red Roo or someone from the Platinum line would first need to track down whoever is responsible for taking calls for the system at this hour. That person would then need to investigate and verify that the problem exists. That should be easy, but it's possible that it only manifests under certain circumstances - eg some browsers but not others, within some specific time windows of people attempting simultaneous registrations, the phases of the moon or whatever.

Assuming the problem is identified that person, most likely a junior tech support person, would then need to escalate the issue, until it's reached someone who's sufficiently empowered to say "Take the system offline". Even then it might not be that simple, because the people who know how to take the system offline might not be the same people in the loop so far. So it might take yet another round of phone calls, trying to reach people who wouldn't necessarily be on call tonight.

None of this excuses this serious (though probably not catastrophic) breach in the first place. Nor does it excuse what might be interpreted as a lackadaisical response from the P1 people on duty in response to a customer with a valid concern that their privacy is at risk.

But it might explain why the system is still online.


edit: Or... on the other hand, in the time that it's taken me to type all this, Qantas has already commenced the process of taking the system down until it's fixed.
 
re: Qantas launches "Aquire" business frequent flyer program.

Actually, to the contrary. We have senior management and experienced IT support available tonight.

It's day one of Aquire and we're keen to ensure this new program is successful for customers and Qantas Loyalty.
 
re: Qantas launches "Aquire" business frequent flyer program.

Glad to hear it. I hadn't realised that the system was that new. On Day 1 (and for a while beyond) it's of course sound practice to have all the key decision makers and executors on hand.

I've noticed that the "Join" button now redirects back to the Acquire landing page, so that's a good sign.
 
re: Qantas launches "Aquire" business frequent flyer program.

Thanks Red Roo,
explains why when I go to join nothing happens.
 
re: Qantas launches "Aquire" business frequent flyer program.

Was just reading another thread quoting how good this group is at finding cracks in the system. .. good result having the red roos in here, along with the members of AFF.... what a great team :)
 
re: Qantas launches "Aquire" business frequent flyer program.

Thumbs up to the people who noted this problem and brought it to the attention of the forum & Qantas. I assume the relevant invoices for "security review services" will be going out to Qantas tomorrow :)
 
re: Qantas launches "Aquire" business frequent flyer program.

There might be a lesson here about implementing two significant changes to Qantas Loyalty - both of which place increased strain on both customer service and IT - simultaneously.

It occurs to me that one possible reason why some of the changes related to the QFF programme were poorly implemented (tables, terms & conditions clearly not proof-read and revised "on the fly" several times, dead links on the website, issues with points calculators etc) might be that some or many of the same people were also working to get the Acquire scheme and attendant system and up and running, to the possible detriment of both.

If that's the case, Qantas might want to have another look at its release/deployment management methodology as part of the (hopefully inevitable) post-implementation reviews for these changes.
 
re: Qantas launches "Aquire" business frequent flyer program.

There might be a lesson here about implementing two significant changes to Qantas Loyalty - both of which place increased strain on both customer service and IT - simultaneously.

It occurs to me that one possible reason why some of the changes related to the QFF programme were poorly implemented (tables, terms & conditions clearly not proof-read and revised "on the fly" several times, dead links on the website, issues with points calculators etc) might be that some or many of the same people were also working to get the Acquire scheme and attendant system and up and running, to the possible detriment of both.

If that's the case, Qantas might want to have another look at its release/deployment management methodology as part of the (hopefully inevitable) post-implementation reviews for these changes.


You are assuming that with the all the cuts that they have the resources and knowledge to undertake said review
 
re: Qantas launches "Aquire" business frequent flyer program.

Glad Red Roo was on deck.

Well as an early adopter (sucks to be us right) the real test is going to be in how it's handled and what assurances we have that things are kosher.

Interesting times. (Unless you are the QF work experience kid)

And how long till those twits down at News.com.au run a sky is falling article?
 
re: Qantas launches "Aquire" business frequent flyer program.

I see the site is currently offline.. Lets see how long it takes to fix up..
 
re: Qantas launches "Aquire" business frequent flyer program.

As someone who is not well versed in information technology, would the fear of an initiative becoming knowledge to airline competitors stop entities like QF establishing a user panel of potential small business customers who could (I think the term is) 'beta test' the IT 'componentry'?

I know other organisations that have used this approach, but they are typically not for profit private enterprise companies.
 
EXCLUSIVE OFFER - Offer expires: 20 Jan 2025

- Earn up to 200,000 bonus Velocity Points*
- Enjoy unlimited complimentary access to Priority Pass lounges worldwide
- Earn up to 3 Citi reward Points per dollar uncapped

*Terms And Conditions Apply

AFF Supporters can remove this and all advertisements

re: Qantas launches "Aquire" business frequent flyer program.

I've never worked for Qantas or any airline so the following is all speculation and extrapolation (from having worked at other large companies with mission-critical IT systems).

Qantas would of course have several tiers of IT support staff on duty and/or on call 24/7. However I wouldn't be surprised if this 24/7 availability was restricted to key operational systems only. I would imagine that the Acquire registration system would be classed as a lower-priority Marketing system. As such, it may not have 24/7 support available for it.

And even if there was somebody responsible for it at 9 pm (east coast time) it would probably be someone who's not senior enough to have the authority to take the system offline. So Red Roo or someone from the Platinum line would first need to track down whoever is responsible for taking calls for the system at this hour. That person would then need to investigate and verify that the problem exists. That should be easy, but it's possible that it only manifests under certain circumstances - eg some browsers but not others, within some specific time windows of people attempting simultaneous registrations, the phases of the moon or whatever.

Assuming the problem is identified that person, most likely a junior tech support person, would then need to escalate the issue, until it's reached someone who's sufficiently empowered to say "Take the system offline". Even then it might not be that simple, because the people who know how to take the system offline might not be the same people in the loop so far. So it might take yet another round of phone calls, trying to reach people who wouldn't necessarily be on call tonight.

None of this excuses this serious (though probably not catastrophic) breach in the first place. Nor does it excuse what might be interpreted as a lackadaisical response from the P1 people on duty in response to a customer with a valid concern that their privacy is at risk.

But it might explain why the system is still online.


edit: Or... on the other hand, in the time that it's taken me to type all this, Qantas has already commenced the process of taking the system down until it's fixed.

Good point(s).
 
re: Qantas launches "Aquire" business frequent flyer program.

Perhaps Qantas could consider releasing pre-release versions of their future implementations to AFF members for a "soft-opening" to allow all the real-world bugs to be discovered and plugged before being released to the wild?

Well done to ALH (edit: oops... not ALF! :mrgreen:) for discovering the issue and well done to Red Roo for such a quick response.

For all the Qantas staff members in the background who possibly be-grudge or belittle Red Roo's role (I imagine it does happen within the bowels of such a large organisation...), shame on you... this is exactly where their role has been able to provide a conduit to fix a potentially disastrous outcome.

Once I saw ALH's post, I decided to hold off completing the registration until I saw an outcome here...
 
Last edited:
re: Qantas launches "Aquire" business frequent flyer program.

Does anyone else think the mass email today announcing the launch was poorly written? It thanks the reader for pre-registering, but the Join Now paragraph at the end implies that it not cognisant of whether or not you pre-registered.
 
re: Qantas launches "Aquire" business frequent flyer program.

Does anyone else think the mass email today announcing the launch was poorly written? It thanks the reader for pre-registering, but the Join Now paragraph at the end implies that it not cognisant of whether or not you pre-registered.
When someone from the Acquire team phoned me this afternoon after I had sent off a cranky email this morning, they told me they had fielded a number of phone calls during the day and they recognised that the e-mail had been poorly worded on their part.
 
Status
Not open for further replies.

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.
Back
Top