Breach Notification , Security Operations

Qantas Airways Says App Showed Customers Each Other's Data

Customers Report Seeing Each Other's Bookings and Inadvertent Flight Cancellations
Qantas Airways Says App Showed Customers Each Other's Data
Image: Qantas Airways

Australia's Qantas Airways has confirmed suffering a data breach after its app began inadvertently exposing customers' data to other customers.

See Also: Jumpstarting Digital Forensic Investigations

Sydney-based Qantas, which uses the tagline "the spirit of Australia," said that the customer data was unexpectedly spirited away and shown to the wrong customers over two different periods on Wednesday.

Instead of seeing their own details when logging into the Qantas app, some customers instead saw another customer's name, upcoming flight details, frequent flyer status and points balance.

The airline said that the app problem didn't expose any financial information and wouldn't have allowed anyone to transfer or otherwise use someone else's frequent flyer points.

The data exposure first came to light Wednesday after Qantas customers took to social media to report that when they logged into the airline's app, they appeared to be shunted into a different customer's account, which gave them the ability to review that person's name and boarding passes and even cancel their flight.

"I just opened my Qantas app and noticed a random persons flight on my home page. I have their flight details and can even change their seats. Every time I refresh the home page I get a new person's information," says a post by "tolio99" to Reddit's QuantasFrequentFlyer forum.

"Is this happening to anyone else?" tolio99 said. "The 'trips' and 'my QFF' on the app are still all my info. It's just the home page. I've logged in and out twice with the same issues happening."

Other customers reported similar problems. "My colleague logged in and said 'I think the Qantas app has been hacked because it's not my account when I log in,'" one customer told The Guardian. "You could see boarding passes for other people, one of my colleagues could see a flight going to Melbourne and it looked like you could interact and actually affect the booking."

One customer said their booking appeared to have been canceled after someone else accessed their account details, possibly believing it was a booking in their own name that they hadn't made. "I got an email letting my know my flights had been cancelled, so I called up and they said that they would reinstate the flights and someone may have access to my Qantas account and have cancelled my flights," Reddit user "fatfeets" posted.

The airline has blamed the privacy stumble on an unspecified "technology issue" possibly tied to "recent system changes" and said that "at this stage, there is no indication of a cybersecurity incident," meaning Qantas doesn't think it fell victim to a hack attack.

To help expedite fixes, the airline recommended "customers log out and log in to their Qantas Frequent Flyer account on the Qantas App."

Qantas said that despite the information exposure, it appears that no one attempted to use anyone else's boarding pass via the app snafu.

"We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer and there were no reports of this happening," Qantas said. "We sincerely apologize to all customers impacted and continue to monitor the Qantas app closely."

The airline, which last year carried 45.7 million passengers, also warned customers to beware any attempts by fraudsters or phishers to turn the data exposure to their advantage, including via social media scams.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.