PRIVACY BREACH in Qantas App – user details exposed including Valid Boarding Passes

A major privacy breach this morning and potential security risk has exposed Qantas and it’s passengers after a glitch in the Qantas app showed the Frequent Flyer and Trip details of random users to people using the iOS version of the Qantas app.

When logging into the app, you are normally presented with your own profile name, your points balance, status credit balance and details of your next trip.

Users this morning were reporting seeing other people’s profiles on the main home page of the app.

Every time you re-open the app (trying to get your own profile), you would likely see another person’s details.

Within 15 minutes I had seen 8 different profiles.

Most concern for both users and Qantas, if a user had a flight in the next 24 hours, the options to show those flights and even an active boarding pass.

This is a major security concern for Qantas, because with just a name, a destination and a flight time, it’s possible to use the automated computer checkin terminals at almost any Australian Airport to get a boarding pass.

Additionally, any boarding passes already issued have been compromised because the QR codes for them may have been captured by other users who could then board the flight.

Qantas essentially need to implement stricter checkin and boarding passes for at least the next 24 hours to ensure the right people are on the right flights.

A Qantas spokesperson told EFTM “We’re urgently working to resolve the issue impacting the Qantas app this morning and we sincerely apologise to our customers who have been impacted.

We’re investigating whether this issue may have been caused by recent system changes.

We recommend that customers log out and log in to their Qantas Frequent Flyer account on the Qantas App. Please also be aware of social media scams at this time.

We’ll continue to provide more information as soon as we can.” (Further updates at the bottom of this article)

Customers should also be aware that scammers are posing on social media as Qantas customer service staff.

Anyone with questions should only speak directly to Qantas call centres, or Staff at Airports.

UPDATE THREE – 12.10PM, 1 MAY 2024

We sincerely apologise to customers impacted by the issue with the Qantas app this morning, which has now been resolved.

Current investigations indicate that it was caused by a technology issue and may have been related to recent system changes.

At this stage, there is no indication of a cyber security incident.

The issue was isolated to the Qantas app with some frequent flyers able to see the travel information of other customers, including name, upcoming flight details, points balance and status. No further personal or financial information was shared and customers would not have been able to transfer or use the Qantas Points of other frequent flyers. We’re not aware of any customers travelling with incorrect boarding passes.

Qantas