Qantas says issue that exposed customer data to others has been resolved

Qantas says it has resolved an issue with its app that gave customers access to the personal information and accounts of other people, prompting concerns over data privacy.

The company said an internal investigation suggested the issue might have been caused by recent system changes, and that it did not suspect a cybersecurity incident was involved.

“We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved,” Qantas said in its latest statement at 12.10pm, adding that the app-specific issue had allowed some frequent flyers to see the travel information of other customers, including name, upcoming flight details, points balance and status.

“No further personal or financial information was shared, and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.”

Beginning just before 9am on Wednesday, users on social media began reporting the issue, and posting screenshots showing unfamiliar boarding passes and customer details.

“Left lounge to board flight and my app just spewed out all these boarding passes for people I’ve never heard of,” said another.

“Good thing I got a hard copy!”

One customer posted a video showing the app cycling between multiple users as they refreshed the app.

The cause and extent of the issue weren’t immediately known, causing some to worry that their boarding passes would stop working, that their identifying data could be stolen or that their reward points could be spent. Qantas made very brief statements at 9am acknowledging the issue and at 10.15am suggesting users log out, and warning against social media scams.

Throughout the issue, many users on X posting about Qantas received multiple replies from automated accounts pretending to be Qantas customer service, asking for the customers to send their personal information via DM. Follow-up phishing attempts, for example, offering customers compensation for the issue, are likely in the coming days.

Similar issues have occurred in other apps before, including those belonging to banks, Mercedes-Benz and US telco T-Mobile. Generally, such glitches are the result of incorrectly configured technology upgrades on the company’s end and are fixed quickly once discovered, but they can have lasting impacts.

Given the data that was exposed, which included names, frequent flyer details and boarding pass QR codes, Qantas may need to reissue boarding passes for any flights over the next 24 hours, which could create problems at departure gates. It will also need to investigate any potential interference with customers’ accounts from those who had unintended access. Longer term, scammers could use captured details to impersonate Qantas and craft scam messages.

Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.