Qantas has begun updating customers on their personal data that was compromised as a result of the cyber incident in one of its call centres last week.
The following is an update on the response:
Details of compromised customer data
Qantas has progressed its forensic analysis of the customer data in the system that was compromised.
There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.
Qantas has reconfirmed no credit card details, personal financial information or passport details were stored in this system and therefore have not been accessed.
There continues to be no impact to Qantas Frequent Flyer accounts. Passwords, PINs and login details were not accessed or compromised. The data that was compromised is not enough to gain access to these frequent flyer accounts.
After removing duplicate records, our investigation has found that there were 5.7 million unique customers' data held in the system. Specific data fields vary from customer to customer.
The analysis of customers' personal data has found (all numbers are approximate):
- 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
- Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
- Address - 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
- Date of birth - 1.1 million
- Phone number (mobile, landline and/or business) - 900,000
- Gender - 400,000. This is separate to other gender identifiers like name and salutation.
- Meal preferences - 10,000
Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts.
Advising customers of their personal data impacted
Qantas is progressively emailing affected customers to advise them of the types of their personal data that was contained in the impacted system and provide advice and support.
Customers can continue to access the dedicated support line on 1800 971 541 or +61 2 8028 0534. This service remains available 24/7 and customers have access to specialist identity protection advice and resources through this team.
Qantas Group Chief Executive Officer Vanessa Hudson said:
"Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible.
"From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.
"Since the incident, we have put in place a number of additional cyber security measures to further protect our customers data, and are continuing to review what happened.
"We remain in constant contact with the National Cyber Security Coordinator, Australian Cyber Security Centre and the Australian Federal Police. I would like to thank the various agencies and the Federal Government for their continued support."
Advice to customers
We recommend that customers take the following general precautionary steps and remain vigilant to any misuse of their personal information:
- Remain alert, especially with email, text messages or telephone calls, particularly where the sender or caller purports to be from Qantas. Always independently verify the identity of the caller by contacting them on a number available through official channels;
- Where available, use two-step authentication - such as an authentication application - for personal email accounts and other online accounts;
- Stay informed on the latest threats by visiting the Australian Cyber Security Centre and the National Anti-Scam Centre's Scamwatch webpage;