Qantas Hack is the Same Old Problem

The Qantas hack is yet another reminder that weak authentication remains the single biggest flaw in enterprise security.

Recently, in Australia, superannuation funds were targeted through a wide-scale credential stuffing attack. The reason? Many relied simply on weak authentication for their members to access their online accounts. And whilst the Australian Prudential Regulatory Authority has, in the wake of these attacks, mandated multi-factor authentication (MFA), not all MFA is the same, and funds implementing solutions susceptible to social engineering can expect these attacks in the future.

Qantas Data Breach: Another Wake-up Call for Identity Security

This month, it was the turn of the national carrier, Qantas. A different attack vector, different circumstances, a different type of loss, but the same old problem: identity assurance.

In the Qantas incident, six million customer data records were stolen from a database. The stolen data includes names, email addresses, phone numbers, birth dates, and frequent flyer numbers. It is being referred to as a cyber-attack, and the airline is working with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre, and independent cybersecurity experts, as well as the Australian Federal Police.

The breach has been described as Australia’s most high-profile since Optus and Medibank in 2022, adding to Qantas’s challenges as it seeks to restore public trust after a series of reputational issues.

Vishing Attack On Help Desk: A Breakdown

The source was a vishing attack on a Manila call-center agent, and the attacker was a person posing as a Qantas employee. According to cybersecurity company Arctic Wolf, it is possibly the work of the hacker outfit Scattered Spider, which has a history of posing as IT staff to gain employee passwords or MFA Codes. This points to the contact center in question actually being a Qantas help desk.

The FBI had recently warned about Scattered Spider targeting the airline industry, with Hawaiian Airlines and Canada’s WestJet already impacted. “What makes this trend particularly alarming is its scale and coordination,” said Mark Thomas, Australia director of security services at Arctic Wolf.

Why Current Authentication Fails

Whether the agent was able to disclose the password directly to the hacker over the call or whether they performed a password reset that the hacker intercepted somehow is a moot point. The real point is, why was the agent even put in a position where they could be socially engineered? This attack could have been easily prevented in three different ways using the same voice biometric technology.

The Steps That Need To Be Taken: Identity Assurance

Firstly, it could have been prevented at source by a) biometrically authenticating the caller against the claimed identity either before the call reached the agent or whilst speaking with the agent or b) using a self-service password reset solution requiring voice biometric authentication. In both cases, the hacker would have failed.

Secondly, even without proper identity assurance at the helpdesk, the loss of data could have been prevented if voice biometric authentication were used, as well as the compromised password at the network access level. Having the password would not be enough to gain access.

Qantas may well use MFA for their employees for network access, but if so, it was bypassed in this instance because reliance on MFA codes is not enough. Unfortunately, these attacks will continue to occur until organizations realize that true identity assurance does not rely on a presumed identity and a piece of information.

ValidSoft offers solutions today to combat such threats, both current and futuristic. Schedule a demo today and see how our solutions work in real-time scenarios.