Qantas

Summary

On 1 May 2024, Qantas Airways experienced a privacy breach in its mobile app where customers could access other passengers' personal information and booking details. The incident, which lasted approximately three hours, allowed frequent flyers to view names, upcoming flight details, points balances, and boarding passes of other customers. Qantas confirmed the breach was caused by a technical configuration issue, not a cyber attack, and was resolved by 12:10pm AEST the same day.

What Happened

The privacy breach began shortly before 9:00am AEST on 1 May 2024 when Qantas app users discovered they could access other passengers' accounts. Each time affected users opened or refreshed the app, they were shown different customers' information, creating a randomized exposure of personal data across the frequent flyer database.

Customers reported being able to view comprehensive booking information including:

• Full names
• Frequent flyer membership numbers and status levels
• Points balances
• Upcoming flight details and boarding passes
• In some cases, the ability to view or potentially modify bookings

Qantas attributed the incident to a technical configuration issue, potentially related to recent system changes. The airline emphasized that no malicious cyber attack occurred and no financial information was compromised. The technical fault was isolated to the mobile app platform and did not affect the main Qantas website or other systems.

The airline restored normal app functionality by 12:10pm on 1 May 2024, with full stability confirmed by 2 May 2024.

Impact on Individuals

The breach affected Qantas frequent flyers who used the mobile app during the three-hour window. While Qantas limited its disclosure to stating "some frequent flyers" were impacted, the exact number of affected customers remains undisclosed.

The exposed information included:

• Personal identifiers: Full names and frequent flyer account numbers
• Travel details: Current and upcoming flight bookings, boarding passes
• Loyalty program data: Points balances and status tier information

Although Qantas confirmed that customers could not transfer or use other people's Qantas Points, the breach created significant privacy concerns. Some users reported they could potentially cancel other passengers' bookings, though Qantas did not confirm whether any bookings were actually modified or cancelled during the incident.

The relatively short duration of the breach (approximately three hours) and Qantas's confirmation that no financial data was exposed limited the potential for immediate financial harm. However, the exposure of travel itineraries and personal identification created risks including potential stalking, targeted phishing attacks, or unauthorized tracking of individuals' movements.

Organisational Response

Qantas issued a public statement on 1 May 2024 acknowledging the app malfunction and apologizing to affected customers. The airline's Chief Customer Officer, Markus Svensson, stated: "We sincerely apologise to customers who were affected by this issue, and we are working to understand what caused the issue."

The company's investigation concluded the incident was caused by a technical configuration error rather than external malicious activity. Qantas committed to reviewing its app security and testing protocols to prevent similar incidents.

Qantas did not publicly disclose whether affected customers received individual notification, compensation, or complimentary identity monitoring services. The airline's public communications focused on reassuring customers that the technical issue was resolved and that financial data remained secure.