Article 77103 Tech support scam caused massive data breach at Australian airline Qantas

Tech support scam caused massive data breach at Australian airline Qantas

by
from www.theregister.com - Articles on (#77103)
Story ImageAustralia's Privacy Commissioner has revealed a tech support scam was the cause of the massive 2025 data breach at Australian airline Qantas and found the carrier didn't breach its privacy obligations despite leaking personally identifiable information for 5.7 million customers. The Commissioner reached that conclusion, and a decision not to open a formal privacy probe, in a report published today. Qantas has previously admitted the incident was the result of a social engineering attack on a contact center. The Commissioner's report goes deeper, explaining a crook who claimed to represent Qantas IT help" made the call and told a contact center agent to access a CRM system and perform certain actions needed to close a support ticket. Those actions instead connected the CRM to a data extraction tool which the crooks used to siphon off customer records. The Commissioner considered whether Qantas observed the Australian Privacy Principles (APPs), the binding rules that govern how businesses safeguard PII, and found the airline did the right thing. The report found that Qantas audited the operator of the contact center and tested the security awareness of its employees - and had done so in the months before the incident. Qantas also conducted mandatory and recurring training on how to handle PII. The Commissioner was therefore satisfied Qantas took adequate steps to ensure the contact center observed the APPs and didn't fail in its obligations. The regulator made a similar finding regarding the airline's cross-border data-sharing practices. Our inquiries did not identify any omissions in the steps Qantas took that, if addressed, would have prevented the breach that occurred in this incident," the report states. The APPs include a requirement to take reasonable steps to protect personal information from unauthorized access. Again, the Commissioner decided Qantas complied because it used role-based access controls, among other techniques to protect data. Another issue the regulator considered was whether Qantas took reasonable steps to destroy or de-identify the personal information it didn't need. The carrier told the Privacy Commissioner that it scheduled annual data removal runs from its CRM, and that no records that deserved deletion or removal were present at the time of the attack. That clean record saw the Commissioner decide not to launch a deeper investigation. I have a broad discretion to commence an investigation of an act or practice where it may be a contravention of the APPs and where it is desirable to do so," the report states. The first-person pronoun is presumably the work of Commissioner Carly Kind, who observed it does not appear that Qantas could have reasonably foreseen and prevented the breach in the manner that it occurred. The way in which the threat actor gained access was through a vishing attack which could not have been prevented by a strengthening of Qantas' current role-based access controls." It's possible the Commissioner will revisit the matter at another time, and class-action lawsuits are also in train regarding the incident. Qantas may therefore still have to fight through plenty of turbulence before this matter lands. One thing the report doesn't address is the identity of the attackers. Pundits have suggested the Scattered Spider gang did the deed after it started attacking the aviation industry in the weeks before the Qantas incident. (R)
External Content
Source RSS or Atom Feed
Feed Location http://www.theregister.co.uk/headlines.atom
Feed Title www.theregister.com - Articles
Feed Link https://www.theregister.com/
Reply 0 comments