Qantas spent the past week emailing millions of customers to detail exactly what private information of theirs was lost in its recent data breach – but if you’re among them, what exactly are you supposed to do next?
It’s a question that 5.7 million Australians are now asking, although Qantas’s latest update confirmed that many only lost minimal information – with 4 million limited to name, email, and Qantas Frequent Flyer details, and 1.2 million losing name and email address only.
If you’re among them, you got off relatively lightly – particularly since your name and email address have probably already been included in any number of other data breaches (you can confirm which ones by searching at Have I Been Pwned, or using darkweb search services.
Be particularly aware of email spam – especially if it’s from someone promising help to sort through anything related to the Qantas breach – and don’t click any links in unsolicited emails or text messages.
As always, never provide any kind of personal information to someone that contacts you out of the blue via phone, text, email, or carrier pigeon; if you think it might be legitimate, hang up or delete the message, then call the company or log onto its website on your own.
“Stay alert,” Qantas’s blandly impersonal advice to customers reads in advising what every company advises customers after a data breach – including advising you “stay informed on the latest threats” by visiting the Australian Cyber Security Centre and Scamwatch sites.
If you’re wondering why you should have to live in a constant state of hypervigilance because of a Qantas error, rest assured that CEO Vanessa Hudson “wants to apologise again for the uncertainty this has caused.”
“I know this incident has been concerning and I am deeply sorry for the uncertainty this has caused,” she wrote in the emails sent to millions of affected customers.
Death by a thousand data leaks
If you’re one of the unfortunate 1.7 million customers who had other data breached – including 1.3 million addresses, 1.1 million dates of birth, 900,000 phone numbers, 400,000 gender identifiers, and 10,000 meal preferences – you may have other problems.
Qantas may still call Australia home, but now cyber criminals know exactly where you call home. Photo: Supplied
Years of data breaches have put a dizzying amount of personal information into the public domain – but if a new breach contains even one new piece of data it can be cross-matched by cyber criminals that are working overtime to build a bigger profile of you.
This helps them better target you with scams to try to get more valuable information – by sending fee-due notices to trick you into sharing your credit card details, for example, or accusatory emails alleging the ATO is coming after you and demanding your tax file number.
Scammers are endlessly creative in how they use your personal details – with police routinely discovering organised criminal enterprises printing false driver’s licenses, selling mobiles whose wallets are loaded with stolen credit card numbers, and more.
Weak passwords compound the problem, as McDonald’s recently found out in the worst possible way – so use the Qantas breach as a cue to manage strong passwords with an app like 1Password, LastPass, Apple Passwords, or your browser’s built-in password features.
With passkeys fast becoming widely used across Amazon, Facebook, Microsoft sites and Google services like Gmail, and other sites, it’s also a good time to make that switch where you can; as a bonus, passkeys are both more secure and more convenient to use.
Also make sure you’ve added 2-factor authentication (2FA) to as many accounts as possible – particularly your banking, superannuation, healthcare, government and other accounts that contain sensitive information or could facilitate theft of data or money.
Takes steps to protect yourself financially
Despite its platitudes, Qantas has made it clear that it’s your responsibility to prevent further harm after it failed to protect your data – and you may be wondering what other options are available to you.
One option is to seek out support from IDCare, the Australian government-backed identity theft support body that promises to “take the time to understand your situation and provide a guided response plan to help you through” the fallout of the breach.
We contacted IDCare to get a better sense of just what that entails – if they just provide a list of the same tips that Qantas and other organisations typically share, that’s not much help – but they cited company policy of not commenting on specific breaches in which they are providing assistance.
It's not also clear whether scale could be a challenge: for an organisation that proclaims its success in having helped 100,000 Australians in 11 years, IDCare will need to ramp up its services to deal with an influx of millions of concerned Qantas victims.
Either way, it seems that IDCare is mostly there to help people after they’ve discovered cyber criminals may be utilising their details for nefarious purposes – and with few companies providing as much detail about their breaches as Qantas has, you're on your own until then.
As one Australian victim only found out recently, cyber criminals can spend years damaging your credit record as they open mobile accounts and credit cards in your name, run up buy now, pay later (BNPL) bills, launder cryptocurrency, and execute complex scams.
The best way to detect such malfeasance is to order your free personal credit report from the three major credit reporting bodies – Equifax, Experian, and ilion.
You’re allowed to request a report once every three months, if you’ve been refused credit within the past 90 days, or if your credit-related personal information has been corrected.
You may also want to instruct Equifax, Experian, and ilion to put a temporary ban on your credit report, preventing them from providing any credit details if companies ask for them – for example, if a cyber criminal is trying to take out a credit card in your name.
“You put your trust in us with your personal information, and we take that responsibility very seriously,” the Qantas email reads – but the reality is that Qantas will – and can – only do so much to help you after the breach.
If you’re among the unlucky victims, now is the time take proactive steps to protect your personal data and services as well as you can.
