It has become the playbook for big Australian companies that have customer data stolen in a cyberattack: call the lawyers and get a court to block anyone’s access.
Qantas executed it after suffering a major cybersecurity attack that accessed the frequent flyer data of 5 million customers.
The airline joined the long list of companies in Australia, dating back to the HWL Ebsworth breach in 2023, to go to the New South Wales supreme court to obtain an injunction against “unknown persons”, prohibiting the hackers (and anyone else) from accessing or using the data under threat of prosecution.
Of course, that didn’t stop hackers from leaking customer data on the dark web a few months later.
But it might have come as a surprise when identity protection company Equifax this month began alerting Qantas customers that their data had been leaked, as access to the data was supposedly prohibited.
This highlights the main defect of the system of precautionary measures. Qantas maintains that the court order protects customers, but cybersecurity experts warn that in practice it has the opposite effect: fraudsters will ignore it, while organizations based in Australia and operating within the law will not be able to verify or report data.
Sign Up: AU Breaking News Email
Troy Hunt, an Australian who operates the HaveIBeenPwned website that notifies users when their information has appeared in breaches, is frustrated because it has not been able to include the breach in its search database.
“Clearly, the court order has not prevented even legally operating organizations from accessing data and communicating with customers,” he said.
“[Qantas is] obviously trying to minimize the damage, and they will inevitably be hit with class action lawsuits, because it happens to every big company that has a breach now… but there is simply no practical, measurable benefit that anyone can assign to keeping this data out of the hands of people like [me]while he is in the hands of people who are now abusing him.”
Hunt noted the irony that Qantas’ cybersecurity incident statement on its website links to government resources for customers caught in a breach. Those resources recommend customers visit Hunt’s website so they can better protect themselves by being aware of the information that is available.
It is unclear how Equifax addressed the court order. The company said it uses cybersecurity firm Norton to monitor the dark web. Norton’s parent company, Gen Digital, is based in the US and Czechia, while Equifax is based in the US.
Norton did not deny accessing the data when asked twice by Guardian Australia and said in a statement that it is “contractually obliged to notify customers” when their information is published on the dark web.
after newsletter promotion
“These alerts are part of our ongoing commitment to helping victims of a data breach protect their personal information and respond quickly if their data is at risk,” the spokesperson said. “This service operates under strict business, privacy and compliance standards to ensure the accuracy and legal handling of all data sources.”
Qantas did not confirm whether it was considering pursuing the companies for potential breaches of the court order, but indicated it was monitoring third parties and would consider them on a case-by-case basis.
“We are aware that third-party vendors are sending notifications to some of our customers. These notifications include types of personal information that were not on the affected system in our July cyber incident,” the spokesperson said.
According to screenshots from the Telegram group run by the hackers, posted this month by HuntHackers are aware of the limitations of the court order.
“Qantas, why do you lie to your citizens?” says the message. “The only thing your court order does is prevent the media/journalists.”
“YOUR data WILL be disclosed and accessed.”
