By Rhiana Whitson and Yiying Li, ABC
Photo: Nicolas Economou / NurPhoto via AFP
Frustration is mounting among Qantas customers after they were made aware that their names and addresses are up for grabs on the dark web.
The stolen data of 5.7 million customers was released over the weekend after cybercrime collective Scattered Lapsus$ Hunters did not receive the ransom it demanded.
Ebe Ganon is one of the airline customers who was caught up in the cyber incident.
"I still haven't had any communication directly from Qantas about what's happened, and that's really frustrating as someone who often doesn't have a lot of choice," she told the ABC.
"At this point, my only options are really to pay for monthly identity monitoring myself, and that in itself is costly; it's also quite anxiety-provoking.
"It creates yet another mess that individuals have to clean up because corporates aren't doing their job properly."
Ganon also accused Qantas of poor communication with its customers.
"Every single time there's been a development in this story, I've heard it from the media," she said.
"And as of this morning, I still haven't had any communication directly from Qantas about what's happened.
"And that's really frustrating as someone who often doesn't have a lot of choice around the provider that I use when I travel."
Qantas customers' records were exposed in July after cyber criminals tricked a Qantas call centre worker in the Philippines into handing over access to the information on the third-party platform Salesforce.
There has been speculation that Qantas may face severe financial penalties over the data breach under the Australian Privacy Act.
However, the Office of the Australian Information Commissioner would not comment on whether Qantas would be fined over the hack.
Experts say that with the airline recently reporting a $1.6 billion (NZ$1.8b) full-year profit, the size of any penalty must be big enough to teach Qantas and other companies a lesson.
"The key lesson is to prioritise security over trying to maximise profits for shareholders," Matt Warren, the director at the Centre of Cyber Security from RMIT University, told ABC News.
"The onus is on Qantas, and the onus is on Qantas to keep all of their customers updated."
Warren said the case against the airline could be complex if it tried to blame Salesforce or claimed Australian laws did not apply.
Michael Park, a lawyer who specialises in technology, media, and telecommunications, said this did not appear to be clear at this stage.
"The threshold question will be whether Qantas has breached any of the Australian privacy principles under the privacy act," he said.
"For example, if Qantas holds personal information, it must take such steps as are reasonable in the circumstances to protect that information from misuse, interference and loss.
"The key question here will be whether Qantas held the customer data that was stolen, or whether Salesforce - or another third party - held the relevant customer data."
Park said it was unclear whether Qantas would be liable at all for any breach of the privacy law.
Warren from RMIT added that the significance of the type of data breached by Qantas was big, adding that more scams would follow.
"It is serious because it contains what is called personally identifiable information ... like your name, your date of birth," he said.
"The problem is it's hard to change your name, you can't change your date of birth, so what the worry is that there will be a second wave of scams."
Scammers who have access to the data on the dark web might contact the affected Qantas customers, pretending to offer compensation to gain their bank details, Warren warned.
Qantas has not fronted the media since hackers followed through with the threat to post the data on the dark web.
In response to questions from the ABC, a spokesperson pointed to a statement on the airline's website.
The airline spokesperson also said affected customers could access various types of support from IDCARE, which was offered to individual customers on a case-by-case basis.
-ABC
