Qantas executives slow to be seen after data breach affecting up to 6 million customers

Vanessa Hudson has become something of a prolific letter writer this past week.

More than 6 million Qantas customers received a personalised email on Wednesday, signed by the chief executive, informing them that cyber criminals had scaled the company's defences.

An unknown number were unlucky enough to be sent a follow-up the very next day.

It wasn't cheery news.

The first missive outlined fears that the airline's database containing personal information had been hacked and, your name might be on it.

For those receiving the follow-up, it was confirmation their name, email, phone number and frequent flyer number had also been unlawfully accessed.

It was suitably sombre.

But the Qantas boss was nowhere to be seen.

The federal minister responsible for cybersecurity, Tony Burke, told the ABC on Wednesday that Hudson was on leave and he'd spoken twice with the acting chief executive.

Finally, on Friday morning, two days after the data breach was announced to the public, Hudson did a short interview with Channel Seven in Athens.

While her overseas leave may explain the CEO's delay in fronting the media, neither the acting CEO nor anyone else from the airline put their head up publicly either.

The ABC's interview requests were declined, and our reporters' calls to the Qantas media line frequently went straight through to message bank.

For an enterprise that so damaged its reputation with customers during the Alan Joyce era, it was an odd approach to such a serious breach of trust.

Copping the blame

The sheer scale of the hack puts it in the upper league of Australian data breaches. Unlike the others, however, Qantas has attempted to assuage customer fears by assuring everyone that financial details and passport numbers weren't included.

Latitude, Medibank and Optus were bigger attacks than this and, more importantly, they involved far more detailed and potentially damaging information.

In each case, after some initial confusion, those in charge fronted the media to personally take the heat.

It didn't end well for all of them.

Latitude's Ahmed Fahour was halfway out the door by the time the hack, involving detailed financial and personal data on 14 million current and former customers, leaving his successor to deal with the aftermath.

But Optus chief Kelly Bayer Rosmarin endured months of criticism for initially attempting to minimise the severity of the breach, only to be forced out the following year after miscommunication over a nationwide outage.

In Medibank's case, the breach was devastating, with almost 10 million customers exposed and private medical records for sale on the dark web.

Chief executive David Koczkar was forced into an unpalatable choice between quietly paying a Russian hacker a ransom and hoping it goes away or going public and enduring the scorn. He chose the latter and remains in the job.

Offshoring and outsourcing

The Qantas hack occurred in Manila at one of the airline's call centres when a criminal was given access by an employee to a third-party customer servicing platform.

It happened just days after the FBI warned airlines to watch out for cyber attacks including on "third party IT providers which means anyone in the airline ecosystem including trusted vendors and contractors".

The trend towards outsourcing key operations and sending those jobs offshore during the past 20 years has created opportunities for the new wave of cybercriminals.

Corporations have to rely upon the cyber security of their partners. The devastating Russian attack on Medibank again took place via an outside contractor, an IT worker whose login details inadvertently transferred to his personal computer.

Bringing all the functions in house, however, may not solve the issue. For, in most cases, the breaches were caused by human error or, in many cases, a momentary lapse in judgement.

As the FBI warning last week highlighted, cyber criminals are becoming increasingly more sophisticated and employing ever more devious methods.

"These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," it warned.

"These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorised MFA devices to compromised accounts."

Nothing much to see here

Vanessa Hudson's missives have been reassuring.

True, no credit card or banking details were surrendered, neither were there any passport details.

But even simple identity details can be used to devastating effect.

That three-letter acronym mentioned by the FBI relating to multi-factor authentication usually involves a mobile phone and an email address. Add in a birth date and that could be enough for a criminal to construct an identity.

According to her initial letter, the company has not received a ransom note. But it seems unlikely a hacker would spend the time and effort to crack the system, obtain the information and then decide to do nothing with it.

So far, Qantas executives have decided to keep a low profile. And the strategy appears to have worked. Either that or we've become all too accustomed to data hacks.

The share price has remained reasonably solid, and there has been little criticism either of the company or the executives.

But hiding from bad news can come back to bite.