Qantas data leak court injunction sets a scary precedent for reporting

I’m scared to even write about this, and that’s a shit position to be in as a reporter. I’m a commentator, not a journalist, but I understand that I get lumped into “Journo” often – and I accept that – but right now I’m frankly blown away by how this Qantas Data Leak is being reported and handled, and it’s all because of a Supreme Court of NSW Injunction striking fear through newsrooms across Australia.

You see, Qantas went to the courts to prevent anyone from sharing, even looking at the data that was stolen from their systems three months ago. Why? Well, frankly, I don’t know.

A NSW Supreme Court ruling isn’t going to stop some hackers releasing data, and it’s certainly not going to stop scammers from snapping up that data and using it to target Aussies via SMS, Email and Phone.

I’m also not a lawyer, so I read the four page Judgement/Order and frankly it made little to no sense.

The “First Defendant” listed is “Persons Unknown” – I mean, what? That says that everyone is the potential criminal here. The Judgement restricts “Persons Unknown” from:

i. Placing any material from the Impacted Dataset, as defined below, (including the Exfiltrated Dataset) at any location on the internet;
Il. Transmitting, publishing or disclosing any of the Impacted Dataset (including the Exfiltrated Dataset) to any person or facilitating such steps;
iii. Using (including viewing) any information from the Impacted Dataset (including the Exfiltrated Dataset) already in their possession for any purpose, other than obtaining legal advice in connection with these Orders;
iv. Promoting or publishing any links to locations from which the Impacted Dataset (including the Exfiltrated Dataset) may be able to be downloaded, without the Plaintiff’s written consent .

Why do I care?

Well in 2022 I took the time to look at the sample data released by Hackers in the Optus data breach. This allowed me, as a reporter to fully understand the consequences of that breach and how it might impact the customers.

It also allowed me to investigate if any of those affected customers were contacted by Optus directly as their data was released while millions of others was not. Note, Optus never did contact those customers specifically about that release.

The “Scattered LAPSUS$ Hunters” are headline news, threatening to release the Qantas data. Did they?

Well, they say they did, and from what I can see on their Dark Web presence, they did.

153GB of data – that’s a LOT.

And What I want to know is, is Qantas telling the truth? Is the data as simple as they say it is?

Qantas explained after the breach just what details were affected, but how do we know this?

Surely we should be able to independently verify that information?

Also, with the actual data – how useful is it to scammers?

But here I am, sitting able to download the file – look at it, teasing me:

But if I do – I’m in contempt of court? Ridiculous.

Scammers around the world have downloaded that file, and are working to rip of average Aussies in ways they can dream up, but we can’t because we don’t know exactly what they are seeing.

Yes, it should be illegal for me to name any person in the file.
Yes, it should be illegal for me to re-publish that file or any part of it.
Yes, it should perhaps be a breach to contact people in that file (I err on this one because I feel like there could be some follow up for specific users in reporting the story).

But just to look at the file? To try and help Australian’s understand the risks.

This is court injunctions gone mad.

Because I’m not a lawyer, I sent the Injunction to Chat GPT for the only legal advice I can afford – it was clear:

Risk of Contempt of Court

Publishing or referencing details from the exfiltrated dataset — even indirectly — could be a breach of the injunction and amount to contempt.
That includes:

quoting or describing information drawn from leaked data;
linking to sources containing that data (even if hosted overseas);
commenting on the specifics of the dataset itself.

If you are covering the story as a journalist, you can report on the fact that the orders exist, and on the public aspects of the court proceeding — but not on the contents of the suppressed data.

An Injunction in the NSW Supreme Court does NOTHING to protect Qantas Customers. NOTHING.

The Data is out there, it’s being used by scammers now, and our courts shouldn’t be used in this way – just seems strange, and frankly fishy to me.

Trevor Long( Editor )

Trev is a Technology Commentator, Dad, Speaker and Rev Head.

He produces and hosts two popular podcasts, EFTM and Two Blokes Talking Tech. He also appears on over 50 radio stations across Australia weekly, and is the resident Tech Expert on Channel 9’s Today Show each day and appears regularly on A Current Affair.

Father of three, he is often found down in his Man Cave.

Like this post? Buy Trev a drink!