Qantas has confirmed that its mobile app is back to normal operations following an issue where users could view personal information of other customers.

Early on Wednesday 1 May, the airline flagged it was investing reports that several customers on the Qantas app had been able to see the flight and booking details of other Frequent Flyer loyalty program members. By 10.15am, Qantas was “urgently working” to resolve the issue.

In an updated statement first at midday then 5pm on Wednesday afternoon, Qantas said the app is stable and operating normally following an issue with its homepage. It confirmed two periods where some customers were shown the flight and booking details of other frequent flyers between 9am and 12pm on 1 May 2024.

According to Qantas, internal investigations identified a technology issue related to a recent system change.

“At this stage, there is no indication of a cyber security incident,” the midday statement read. “The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status.

“No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.” By late yesterday, the airline was again confirmed no financial information had been exposed, and said no customers had been able to transfer or use the Qantas Points of other frequent flyers.

“We have processes in place to make sure that customers were not able to board flights using the boarding pass of another customer and there were no reports of this happening,” Qantas stated.

“We sincerely apologise to all customers impacted and continue to monitor the Qantas app closely.”

Commenting on the potential privacy breach yesterday, Dr Muhammed Esgin, Department of Software Systems & Cybersecurity, Faculty of Information Technology expressed concern about people being able to see personal information about other Qantas passengers.

"Many companies store customer information in a database and mobile applications need to first authenticate a customer to make sure that it is really the right person being granted access. Then typically the app is allowed to retrieve information from the database about that particular user only and not others, unless permission is granted. The issue seems to be that somehow the app is retrieving private information about other users,” he explained.

"To prevent such issues, there needs to be proper authentication, authorisation and access control in place. That means we need to make sure that it is really the right person, accessing the right information and nothing beyond what is permitted.”

While Qantas has stated no cyberincident occurred, Dr Esgin said it’s these sorts of information breaches that can be exploited by cybercriminals.

“A common strategy of cybercriminals is to use such sensitive information and situations like this to scam users, for example by pretending to be calling/texting/emailing from Qantas or using the sensitive information leaked to present a more convincing scenario to their victims,” he commented.

"We certainly need better training around cybersecurity and its best practices. The software systems we rely on today are quite complex and minor changes may lead to significant issues. Therefore, we need cybersecurity trained people implementing changes carefully whenever needed under stringent protocols to ensure that inadvertent privacy breaches do not arise."