Airplane with control tower showing privacy breach

Qantas Airways Privacy Breach Exposed Passenger Information, Allowed Booking and Flight Cancellation

Qantas Airways has apologized for a privacy breach that exposed passengers’ travel information and allowed strangers to change seats and book and cancel flights.

“We’re urgently working to resolve the issue impacting the Qantas app this morning and we sincerely apologise to our customers who have been impacted,” the airline said in a status update posted on its website.

The airline responded by promptly fixing the security glitch and assuring customers that their financial information was not at risk. The company has also ruled out the possibility of a cyber-attack.

Qantas privacy breach exposed passengers’ travel information

Although the privacy breach exposed limited personal information, it allowed strangers to see the information of other customers, including name, upcoming flight details, points balance, and status tier.

On social media, passengers reported seeing different travelers’ information each time they opened the Qantas app. Others suspected someone had hacked into their accounts when they encountered strange personal details.

Highlighting the risk posed by the security breach, tech journalist Trevor Long told Australia’s media outlets that he could “capture at least 8-12 different people’s details” within fifteen minutes.

It remains unclear if opportunistic miscreants exploited the security breach to scrape the traveler’s information from the Qantas app. Given the urgency of air travel, threat actors could utilize the exposed travel information to spear-phish individuals on social media.

“The exposure of such personal information, including booking details, frequent flyer numbers, and boarding passes, poses serious risks and liability,” said Ted Miracco, CEO of Approov. “The data could be used for identity theft, phishing scams, or unauthorized access to further personal information.”

“Such a breach should have significant legal and compliance implications, particularly under data protection regulations like the Australian Privacy Act (APA) or GDPR, if any EU citizens are affected, or other local privacy laws, depending on the nationality of the affected passengers,” added Miracco.

Nonetheless, the impacted individuals’ financial information was not at risk as the privacy breach did not expose their payment account details or credit card information or allow strangers to transfer loyalty points.

“No further personal or financial information was shared, and customers would not have been able to transfer or use the Qantas Points of other frequent flyers,” said the airline.

Claiming to have “processes in place” to prevent fraudulent boarding, the airline did not encounter incidents of passengers using other flyers’ boarding passes to take flights.

“We’re not aware of any customers travelling with incorrect boarding passes,” noted Qantas.

Cyber attack ruled out in the Qantas privacy breach

The Australian carrier attributed the privacy breach to a recent system update and ruled out the possibility of a cyber security incident.

“We have now identified the root cause and can confirm that this was a technology issue, and there is no evidence of a cyber incident,” said the airline.

The Spirit of Australia quickly remediated the problem by midday and advised customers to log out and then log in to rectify the issue.

“We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved.” the company said.

The Australian national carrier also promised to continue monitoring the app closely for potential problems.

Similarly, the airline warned users to be “aware of social media scams” resulting from the privacy breach. Some customers reported receiving personal information requests from individuals purporting to be Qantas staff.

The airline also promised to contact individuals whose information was inadvertently displayed to other customers.

The exact number of the Qantas data breach victims remains shrouded in mystery. However, in its final update at 4 pm, the airline suggested that in “two periods,” “some customers” could see the travel information of “other frequent flyers.”

Although the airline did not explain the nature of the technical glitch, Miracco suggested that it stemmed from poor session handling.

“The problem described suggests a significant issue with how user sessions and data are being handled within the app. The Application Programming Interface (API) is incorrectly processing or validating session tokens, leading to unauthorized access to data,” said the airline.

Qantas App is highly rated in Google Play and Apple’s App Store. However, Approov’s CEO warned that the security features of Google and Apple’s app stores cannot adequately protect users from vulnerable applications.

“The security features provided by these platforms primarily focus on ensuring that apps are free from known malware at the time of upload and meet certain basic security criteria,” Miracco said. “However, these protections do not extend into the realms of runtime security, business logic, and specific data handling practices which are critical for ensuring application security.”

While a technical glitch admittedly caused the Qantas privacy breach, airlines are frequent victims of cyber attacks.

In 2023, Spain’s third-largest airline, Air Europa, suffered a cyber attack that leaked customers’ credit card details. In 2020, United Kingdom’s privacy regulators fined British Airways £20 million following a similar incident.

In March 2024, the US Department of Transportation said it would conduct a privacy review of the country’s ten largest airlines to determine if they were “properly safeguarding their customers’ personal information.”