Already and this is this is the Daily h this is the Daily OAHs. Oh now it makes sense.
Good morning, and welcome to the Daily Odds. It's Tuesday, the fourteenth of October. I'm Elliott, Lorie.
I'm Billy good.
Simon's names, phone numbers, and email addresses were just some of the personal data points compromise during a hacking scandal that first hick Quantas back in July. Fast forward to this week and things have escalated, with the hackers behind the attack leaking that data on the dark web. On today's podcast, we're breaking down exactly what happened, how the hackers got in, who was behind the attack, and what Quantus customers can do to protect themselves.
Elliott, there were so many headlines about Quantus and this data leak over the weekend. Where did this story all begin? Because I remember this coming up a few months ago.
Now, Yeah, this story's been kicking around for quite a while now. It actually first came up in July. That was when we first heard from Quantus that they had detected a breach at one of their third party call centers and they were working to contain that breach. As part of the statement that they first put out, they revealed that the data of up to six million Quantus customers had been compromised. That's a lot. It's a very
big number. Now, when I say compromised, we're talking about things like names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Importantly, Quantus said that things like passports, credit card details, account passwords and pins, you know that really sensitive information that was not part of the breach. And Quantus responded by obtaining a permanent injunction from the Supreme Court of New South Wales to prevent use or
further publication of the stolen data. So this basically made it illegal to spread any of the information publicly, but it doesn't erase the fact that the data is already out there.
When I was reading about this over the weekend, one of the things that I was really interested to learn is actually how hackers got this information, because it wasn't just through them going into the computer systems. What can you tell us about that?
Yeah, A little peak behind the TDA curtain is that when we put stories in the morning, it's often hard to get Billy up and excited about what we're talking about. That's not true this morning. You were especially excited about this story.
I was because of how they got this information. I find it so interesting.
It is interesting, I'll give you that. So basically it wasn't a direct breach of Quantuss systems, but rather they got the information from a platform called Salesforce. So I'm sure quite a few of our listeners would be familiar with Salesforce, at least they would have heard the name. Maybe. It's basically a really popular tool that's used by a lot of companies around the world to help with managing
customer relationships. That's kind of the primary function, but it also can be used for marketing and sales and a bunch of other things that help the business go around. Now, at least forty major companies from around the world who used Salesforce were caught up in this attack, So we're talking about some pretty big names here. Think of Toyota, Disney, McDonald's, Aquia,
and of course Quantus. Yes, so basically Salesforce holds all of these companies customer data, and in the case of Quantus, it's understood the hackers retrieve the information from a call center in the Philippines.
And that's what's so interesting. That they called this call center and kind of convince them to hand over the data by posing as an employee.
Yeah, that's exactly what happens. So they pretended to be a Quantus employee. In this instance, they actually use AI to modify their voice and make themselves more recognizable to the person on the other end of the line, and they were able to convince someone in that call center to grant them access to the database. Now, this is becoming an increasingly popular method for hackers if you think
about it. You know, most companies these days, they're really bolstering up their cybersecurity efforts, so it's harder and harder to attack in the traditional ways. So they're actually using humans as kind of the weak points in companies to make their way in.
So basically, the tech is becoming so air tight that the way they obviously humans make errors and so that's how they're seeing as their way in.
Yeah, and in this case, that is how they launched this attack. So essentially, they were able to speak to someone who had the right access for Salesforce, and they were able to convince them to install a fake integration with Salesforce that basically was a key for the hackers to access the data that was stored on Salesforce at the.
Time got it and so that was back in July, tell us why we're talking about it today.
So last week we were actually made aware of a post on the hackers' website that contained a sample of the data that they'd stolen from those forty companies.
Around the world, kind of like a teaser, a.
Teaser exactly, a very dark cliber teaser. As part of that post, the hackers told Salesforce that they would have to pay a ransom on behalf of the companies or risk having the rest of the data leaked on the internet. Needless to say, they didn't cough up the money, and a Salesforce spokesperson told Titia that they quote will not engage, negotiate with, or pay any extortion demand. And on Saturday,
the data from Quantus at least was leaked. On that same day, the hackers posted saying quote don't be the next headline, should have paid the ransom.
WOWE interesting statement from them. I always find it interesting whenever we have these conversations about cyber leaks and ransoms that the general principle is for these companies to never pay ransoms. What is the kind of logic behind that.
Yeah, I think it is an interesting one because you'd sort of see all these headlines and think, why didn't they just paid? It would be so much easier. But paying ransoms is generally discouraged by cybersecurity experts, and that's because while it might make a problem in the moment go away, so maybe this startup wouldn't have got leaked, at the end of the day, you're still paying cyber criminals,
so you're effectively financing the next hack. You're paying for them to have more resources and more capabilities, And on top of that, it also puts your company in a vulnerable position because the hackers now know that you're or willing to pay up.
It's about the precedent that it sets as well.
Yeah, exactly. Now, there's also no guarantee that they won't leak the data anyway or use it for other purposes, because at the end of the day, we are talking about negotiating with criminals here, so they're not kind of bound under laws of a traditional agreement where you'd be
paying money for someone to stop doing something. Now, there are some small situations where a company might choose to pay ransom, and that's often when hackers have extremely sensitive information and you know, they're willing to do basically whatever to make sure that the threat is contained.
And what do we know about the hackers in this case?
This is actually really interesting. I think we should do a whole nother podcast on this, okay, But the sort of short version of it is that the hackers in this scenario go by the name of Scattered Lapsus Hunters, which I won't say again, so we're going to call them SLSH. Okay. Moving forward, now, you can kind of think of them as like a supergroup that's made up
of some of the world's most notorious cyber criminals. It's understood that the members of SLSH are mainly young native English speakers from the US and the UK, some in Australia as well, and there's been reports that some of them are as young as sixteen years old, so being
sort of brought into this world very young. Now. The people on the STEAM have been responsible for some pretty high profile cyber crime incidents, including a ransomware attack on MGM Resorts that you might remember that was back in twenty twenty three, and that attack cost the company one hundred million US dollars just to get the computer systems back online.
Wow.
Now, one thing that we've kind of brushed over in this conversation is that even though we are focusing on Quantus, this is affecting, you know, at least forty global companies. Quantus was just the biggest Australian one, which is why we're talking about it today. It affects the people listening to this podcast. But it was a global response to this leak. So notably the FBI in the US, they were the ones who on the weekend stepped in and actually seized the domain that the data was published on,
and they shut down on the hacker's website. As Lsh then took to the social media platform Telegram to say, seizing a domain does not really affect our operations. FBI try harder, and they popped a little winky face on them as well, so, you know, needless to say, they are very, very confident. And then in another post they also threatened Australia specifically, with one member writing Australia, I really hope, for the love of God, you've learned your lesson this time.
Well, they certainly have a certain tone to their statements, Yes before we go. For anyone listening to this who has received an email from Quantas saying that their data was part of this breach, For anyone who was affected, what do they what should they do now? Yeah?
So, I mean the number one piece of advice is to just stay on high alert. Quantus has offered a specialist identity protection service in the meantime, so affective customers can call their twenty four to seven helpline on one eight hundred and nine seven five four one. But on top of that, you probably shouldn't be taking any calls for Quantas because it's very likely that that call could
be coming from the hackers themselves. And because they have your details now, it's far easier for them to impersonate someone who works with Quantas or who knows you well, because they have those details and they can kind of put together a bit of a profile on you. While the hackers might not have access to financial details in this breach, they could be using that information to, you know, take out credit cards in your name or do other
forms of identity thefts. So just keep a monitor on your accounts and make sure that anything that comes through that looks suspicious you're following that up.
And lastly, anything from the Australian government on kind of what their involvement in this is.
Yeah, so they've been pretty stern with Quantas over the whole incident. The cyber Security Minister Tony Burke has hinted at the possibility of a major fine for Quantus. He told the ABC yesterday quote, you can't simply outsource to other companies and think suddenly you've got no obligations on cybersecurity. Apart from that, it's another one of those situations where we'll just have to wait and see.
One thing that I have found so interesting is yesterday's podcast on the person who allegedly started the fires in la earlier this year and then now this they've both had alleged criminals really using AI to further their crimes and the extent of their crimes, and it's just a real interesting space to also kind of keep your eye on, is how all of these alleged criminals are using AI to further perpetrate their crimes.
Yeah. I think, unfortunately, we might be doing a couple more podcasts on this over the next few years.
Yes, thank you so much Elliott for explaining that to us and thank you so much for listening to this episode of The Daily os. We'll be back this afternoon with your evening headlines, but until then, have a great day.
My name is Lily Madden and I'm a proud Aarunda Bungelung Calcuttin woman from Gadigl Country.
The Daily oz acknowledges that this podcast is recorded on the lands of the Gadigul Piece and pays respect to all Aboriginal and torrest Rate island and nations.
We pay our respects to the first peoples of these countries, both past and present.