Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Passport. Show all posts

Qantas Employee Data Misuse: Over 800 Bookings Affected by Rogue Staff

 

Qantas recently experienced a security breach involving employees of India SATS, its ground handler in India. These employees exploited their access to alter customer bookings and divert frequent flyer points into their own accounts. The fraud, which occurred in July and August 2024, impacted over 800 bookings and potentially exposed sensitive data, including passport information. 

However, Qantas has emphasized that there is no evidence that the passport data has been misused. This breach was not a result of a cyberattack but rather an instance of insider fraud. Employees of India SATS, using a partner airline’s system, changed frequent flyer details, funneling the earned points into an account they controlled. Following the breach, Qantas promptly suspended the contractors involved, restored customers’ points, and fixed the altered bookings. Qantas reassured its customers that it has implemented new restrictions on accessing bookings to prevent a similar incident in the future. It also clarified that this was not a technical hack, but rather a case of “rogue employees” abusing their position. 

A spokesperson for Qantas further stated that they are unaware of any current bookings being affected by this incident and that an ongoing police investigation is in place. The breach has raised concerns about other airlines in the Oneworld Alliance potentially being affected. However, Qantas has not confirmed any involvement of other airlines in the scandal. Despite the breach, the airline continues to assert that this was an isolated incident tied to two contractors abusing their access. This breach follows another Qantas security issue earlier in 2024, when a technical error in the MyQantas app gave customers access to other users’ accounts. 

While there was no cyberattack involved, the error allowed some customers to view booking information, frequent flyer points, and boarding passes of other users. Qantas promptly fixed the issue and reassured its customers that no financial information was compromised. In both cases, Qantas has emphasized the importance of security and quickly worked to remedy the problems. 

As cybersecurity threats continue to evolve, the airline is working to strengthen its internal systems and access controls, protecting customer data from potential breaches, whether caused by technical errors or human misconduct.

Why Sharing Boarding Pass Pictures on Social Media Is a Privacy Risk, Warns Expert

 

Individuals flying for the first time are aware that an airline boarding pass includes certain details about a traveler, such as their name, flight number, and seat assignment. However, what might not be common knowledge is that these tickets, whether in paper form or electronic, harbor more personal information than readily apparent.

In particular, the barcode on a boarding pass has the capacity to reveal information like a frequent flier number, contact details, or other identifying particulars. According to privacy researcher Bill Fitzgerald, the specifics contained within the barcode can vary from one airline to another. Nevertheless, a prudent approach is to always assume that the scannable code contains personal information about the traveler and their itinerary.

Moreover, travelers should also consider that these barcodes may encompass driver's license and passport details, as these are typically provided to the airline during check-in or at the airport. Consequently, it is crucial to handle paper boarding passes with care, refraining from casually discarding them into the trash. As Fitzgerald emphasizes, posting them on social media is an absolute no-go.

While these precautions may seem like standard data protection advice, even the most experienced travelers have made mistakes when safeguarding their boarding passes. A prime example is former Australian Prime Minister Tony Abbott, who inadvertently exposed his personal information by sharing an Instagram photo of his Qantas flight boarding pass in March 2020. Although the hacker who gained access to Abbott's details did not misuse the information, the potential for malicious intent is a looming concern.

Most attackers could utilize this data, which may seem insignificant on its own, to initiate further online attacks against the traveler's digital accounts and identity. Mark Scrano, an information security manager at cybersecurity firm Cobalt, warns that many airlines rely solely on the data from the boarding pass, particularly the confirmation code and last name, to grant full access to the traveler's online account. This vulnerability could be exploited to access personal data stored by the airline.

These seemingly inconsequential details, when used strategically, could lead to significant troubles for travelers, including identity theft. Fitzgerald advises against sharing barcodes in any way to protect against this risk. Although paper boarding passes are becoming less common, they are still required in certain situations beyond the passenger's control, such as last-minute seat changes at the gate.

According to Fitzgerald, shredding a boarding pass is one of the safest methods for disposal.

While mobile boarding passes might appear to be a convenient solution for safeguarding personal data, Fitzgerald cautions that using electronic tickets within airline apps or loyalty apps is not as straightforward as it seems. He points out that these apps often pose privacy concerns and frequently incorporate various forms of tracking, including first-party and third-party tracking. Additionally, some apps may disclose the user's location in near-real-time, further complicating the choice between paper and electronic boarding passes.

For travelers who prefer using their smartphones instead of paper tickets, Fitzgerald recommends taking a screenshot of the QR code on the mobile boarding pass and saving it to their photos, eliminating the need for an additional app to access it.

In summary, it is advisable to treat any version of your airline ticket as you would a sensitive personal document, even if it appears that information such as flight numbers or barcodes holds little significance. As Fitzgerald notes, while the consequences of such information falling into the wrong hands may not be catastrophic, travelers should not make it easier for potential threats to exploit their data.

Latitude Financial Breaches Customer Data, Coles Warns

 


In an attempt to verify if the breach of Latitude Financial data was impacting Coles, the supermarket giant has confirmed it has. As part of the report, the company alleges that a cybercriminal gang has stolen the information used to issue previous Coles credit cards. 

Within the 14 million stolen customer records, there was information regarding 7.9 million driver's licenses and about 53,000 passport numbers that were among the data stolen from the hack, which was detected last month. According to the company's report, this data breach occurred in March 2023 and was reported to the regulators. 

As a result of the breach, Latitude Financial Services has notified Coles of the issue and is in the process of reaching out to all affected clients. 

The breach compromised thousands of passport numbers, along with personal information such as driver's license numbers, names, addresses, dates of birth, and other personal information. This included thousands of driver's license numbers. 

Despite this, the supermarket giant has not yet been informed of the number of customer accounts that have been affected by this incident. 

Despite Coles' assertions, he has yet to release any further information regarding this data breach incident. A data breach reported by Latitude Financial has confirmed that historically Coles credit card owners have been affected by the breach. Several customers have been affected and a Latitude Financial spokesperson is contacting them. “In March 2018, Coles Financial Services moved its credit cards to Citibank,” a Coles spokeswoman said. 

There has been a confirmed contact between Latitude and the group behind the hack. The group sent Latitude a ransom note demanding payment. 

The company is taking a variety of measures to provide support and information to customers affected by the loss of their personal information and to inform them about what happened. 

Even though a third-party platform was likely involved in the breach, this information has not been released by Latitude, nor have the criminals revealed who they are. 

Additionally, the firm has established a contact center in Australia and New Zealand to assist individuals affected by this natural disaster. It was further assured that if any of the stolen identification documents needed to be replaced, the company would reimburse the affected customers. 

There have been multiple attempts made to contact Myer as well as Latitude Financial - both of which have branded Visa credit cards through GE Money. 

There are several major retailers, such as Harvey Norman, The Good Guys, JB HI-Fi, Apple, and Amart Furniture, that offer interest-free credit cards and personal loans through Latitude Financial, which used to be known as GE Money. This is one of the most significant data breach that ever took place in Australia.