Qantas’ CEO defends response to cyber hack

Hudson said the potential reforms would apply to both how Qantas call centres operates and how the company manages and controls data and information.

“I’m going be open to every idea that comes up from my team … but we’re also going to make the right decisions that we believe are important to continue to support and service our customers.”

Loading

Those two mandates are “not in competition”, said Hudson, who took over as chief executive from Alan Joyce, whose bruising leadership through the COVID-19 pandemic, customer ticketing scams, and illegal sackings put the airline’s reputation in tatters.

Hudson also said she would support the planned Aviation Industry Ombuds Scheme covering the rights of customers in this sort of situation.

“We would welcome any independent process if it helps increase consumer confidence and trust,” she said.

The Albanese government has backed the support of an Ombuds Scheme to oversee the aviation sector, and has the power to force airlines to provide remedies to customers.

However, the level of enforceability for such a regime is still a matter of debate in Canberra.

To date, Qantas has not been contacted by anyone claiming to have the data, following the incident suspected to be the work of the Scattered Spider criminal cyber group. Qantas is continuing to work with government authorities to investigate the event.

Earlier Hudson, in a statement, said the investigation into the incident “is progressing well with our cybersecurity teams working alongside leading external specialists to determine what information has been accessed”.

Loading

Next week, Qantas “will be in a position” to tell affected customers which types of their personal data that was contained in the third-party system that was accessed.

Qantas became the latest major airline to be hit by a cyber breach, when it revealed on Wednesday hackers had accessed customers’ personal information from one of its call centres.

Cybersecurity officials suggested criminal group Scattered Spider could have been behind the Qantas hack. The gang is also suspected to have attacked Hawaii Airlines and Canada’s WestJet in recent days. The FBI warned this week that part of Scattered Spider’s strategy is to “steal sensitive data for extortion”.

The group has been known to deploy ransomware, which involves locking up sensitive data and threatening to delete or release it unless a ransom is paid.

Scattered Spider has challenged existing cybersecurity defences in part because although it is commercially motivated, it has used the tactics of nation-state actors. The group “establishes persistence in networks”, essentially lying low while learning where the most valuable assets are within an organisation’s network.

It also practises what cybersecurity experts call “living off the land” – repurposing legitimate technology within the system for nefarious purpose, eliminating the need to inject malicious, and detectable, code into the system. This is a tactic seen with nation-state hackers.

Once a group such as Scattered Spider has established a presence and accessed information, it can then “deploy ransomware or pilfer data and extort victims for ransoms”, according to The Record.

John Hultquist, chief analyst of Google’s threat intelligence group, told Wired: “There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of.”

Christiaan Beek, senior director of threat analytics at Rapid7, said: “A hallmark of Scattered Spider’s initial access is the help desk scam.

“The attacker calls an organisation’s IT help desk, armed with personal details of an employee [often scraped from sources such as LinkedIn], and impersonates that user with a convincing backstory.”

The goal Beek said was to persuade the help desk to reset the user’s password and/or multifactor authentication device, which gives control of the account to the attacker.

“By targeting high-privilege or sensitive accounts for these resets, Scattered Spider often sidesteps the need for traditional privilege escalation — they start with the keys to the kingdom,” Beek said.

In the Friday update, Qantas reiterated that frequent flyer passwords, PINs and log-in details were not accessed or compromised “but customers can update these details at any time”.

Cybersecurity experts urged customers to update PINs in part because the volume of other data stolen could be used to infer passwords of victims.

“The information accessed in the incident is not enough to gain access to frequent flyer accounts,” Qantas said.

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.