Qantas app goes haywire in massive privacy breach

Qantas travellers were stunned this morning to see the boarding passes and personal details of other passengers when opening their Qantas app.

One traveller claimed they were able to access “full booking details, including the ability to cancel someone’s flight to Europe”.

The privacy breach was first reported early Wednesday morning, with travellers taking to social media to report the problem.

One Qantas customer, @lachlanlawyer, said his app logged him in as a different person each time he opened it.

“I have access to the booking details, QFF numbers, status, and boarding passes of people I don’t know,” he wrote on X.

“Logging out and back in does nothing.”

At 9am, Qantas issued a statement saying it was “investigating reports of an issue impacting the Qantas app.”

Just over an hour later, it apologised to impacted customers and said it was now working “urgently” to resolve the issue.

“We’re investigating whether this issue may have been caused by recent system changes,” Qantas said.

“We recommend that customers log out and log in to their Qantas Frequent Flyer account on the Qantas App.

“Please also be aware of social media scams at this time.”

Qantas traveller, @MJ Goddard, raised the concern of personal details of other customers being randomly exposed to strangers.

“Qantas, it looks like you have a data security breach as I am seeing someone else’s account in the app. So who is seeing mine??”

Dr Muhammed Esgin of the Department of Software Systems & Cybersecurity, Faculty of Information Technology at Monash University, said it was too early to tell what caused the Qantas app issue.

“However, it is certainly a privacy concern given unauthorised people are able to see personal information about other Qantas passengers,” he said.

“Many companies store customer information in a database and mobile applications need to first authenticate a customer to make sure that it is really the right person being granted access.

“Then typically the app is allowed to retrieve information from the database about that particular user only and not others, unless permission is granted.

“The issue seems to be that somehow the app is retrieving private information about other users.

“To prevent such issues, there needs to be proper authentication, authorisation and access control in place.”

Resolution

At 12.10pm Qantas issued a statement to say the issue had been “resolved” and hosed down rumours the airline had been hit by a cyber security breach.

While not confirming how the app malfunctioned, Qantas suspects a recent tech change caused the problem.

“Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.

“At this stage, there is no indication of a cyber security incident.”

The national carrier said that while travellers were able to see the travel information of other customers – including name, flight details, points balance, and status – no other personal information was shared.

“Customers would not have been able to transfer or use the Qantas Points of other frequent flyers.

“We’re not aware of any customers travelling with incorrect boarding passes.”