Australia’s Qantas apologises for mobile app data breach


Australian flag carrier Qantas has apologised to fliers after a glitch in its mobile application temporarily enabled some customers to view the flights and booking details of other frequent fliers on two separate occasions.

The airline said that no financial information was exposed, and nor were any users able to transfer or use frequent flier points belonging to others. Additionally, nobody was able to board a flight using another customer’s boarding pass – and nor was this attempted.

“We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved,” Qantas said in a statement.

“Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes. At this stage, there is no indication of a cyber security incident.”

The problem first surfaced shortly before 9am in Australia on 1 May 2024 (12am BST) and multiple users reported suddenly being able to view, and apparently amend, the bookings of others. The issue was resolved by 7.50am BST. It is unknown how many, if any, UK citizens or residents were impacted.

Although Qantas has stated that the incident was not the result of direct interference from threat actors, the incident certainly constitutes a serious data breach, and it is possible that had someone with malicious intent had accessed the data of another, they could have used it in a follow-on cyber attack against that individual. The airline has advised fliers to be alert to the possibility for scams and fraud.

Ted Miracco, CEO of mobile application security specialist Approov, said that as such, the incident was highly concerning. “The problem described suggests a significant issue with how user sessions and data are being handled within the app. The Application Programming Interface (API) is incorrectly processing or validating session tokens, leading to unauthorised access to data.

“The exposure of such personal information, including booking details, frequent flyer numbers, and boarding passes, poses serious risks and liability. The data could be used for identity theft, phishing scams, or unauthorised access to further personal information.

“Such a breach should have significant legal and compliance implications, particularly under data protection regulations like the Australian Privacy Act (APA) or GDPR, if any EU citizens are affected, or other local privacy laws, depending on the nationality of the affected passengers,” he added.

API security has become a big issue thanks to the ubiquity of APIs, usage of which is growing at about 200% every single year. There are few pieces of code written in recent years that do not in some way expose or consume an API, and thanks to their mission criticality, dispersed nature, and tendency to bring developers and security teams into conflict, they have become a major attack vector for cyber criminals. Indeed, one of the most significant cyber attacks of recent years to have exploited APIs was a 2022 incident affecting another Australian organisation, telco Optus, which exposed the data of millions of customers.

System changes

If the incident did indeed arise following a botched system change, Qantas joins a growing list of organisations to have experienced similar issues in recent weeks. In March 2024, a number of prominent names on the UK high street, including fast food chain McDonald’s and the Nationwide building society experienced significant outages after mistakes were made during routine upgrade work.



Source link