It’s become the playbook for big Australian companies that have customer data stolen in a cyber-attack: call in the lawyers and get a court to block anyone from accessing it.
Qantas ran it recently after suffering a major cybersecurity attack that accessed the frequent flyer details of 5 million customers.
The airline joined the long list of companies in Australia, dating back to the HWL Ebsworth breach in 2023, to go to the NSW supreme court to obtain an injunction against “persons unknown” – banning the hackers (and anyone else) from accessing or using the data under threat of prosecution.
Of course, it didn’t stop hackers leaking the customer data on the dark web a few months later.
But it might have come as a surprise when ID protection company Equifax this month began alerting Qantas customers that their data had been leaked – since access to the data was supposedly banned.
This highlights the major flaw in the injunction scheme. Qantas argues the injunction protects customers, but cybersecurity experts warn that in practice it has the opposite effect: scammers will ignore it, while organisations based in Australia and operating within the law will not be able to verify the data and report on it.
Sign up: AU Breaking News email
Troy Hunt, an Australian who operates the HaveIBeenPwned website which notifies users when their information appeared in breaches, is frustrated that he has not been able to include the breach in his searchable database.
“Clearly the injunction has not stopped even legally operating organisations from accessing the data and communicating with the customers,” he said.
“[Qantas is] obviously trying to minimise damage, and they will inevitably get raked over the coals with class actions, because it happens to every big company that has a breach now … but there is just no measurable, practical benefit that anyone can assign to keeping this data out of the hands of people like [me], whilst it’s in the hands of people who are now abusing it.”
Hunt noted the irony that Qantas’s cybersecurity incident statement on its website links out to government resources for customers caught up in a breach. Those resources advise customers to visit Hunt’s website so they can better protect themselves by being aware of what information is out there.
How Equifax approached the injunction is unclear. The company said it uses the cybersecurity company Norton to monitor the dark web. Norton’s parent company Gen Digital is based in the US and Czechia while Equifax is US-based.
Norton did not deny it had accessed the data when asked twice by Guardian Australia, saying in a statement it is “contractually obligated to notify customers” when their information is posted on the dark web.
“These alerts are part of our ongoing commitment to help victims of a data breach protect their personal information and respond quickly if their data is at risk,” the spokesperson said. “This service operates under strict business, privacy, and compliance standards to ensure accuracy and lawful handling of all data sources.”
Qantas would not confirm if it was considering pursuing companies for potential contraventions of the injunction, but indicated it was monitoring third-parties and would consider them on a case-by-case basis.
“We are aware of notifications being sent to some of our customers by a third-party providers. These notifications include types of personal information that was not held in the system impacted in our July cyber incident,” the spokesperson said.
According to screenshots from the Telegram group run by the hackers, posted this month by Hunt, the hackers are aware of the limitations of the injunction.
“qantas why are you lying to your citizens?” the message states. “all your injunction does is prevent media/journalists.”
“YOUR data WILL be released and it WILL BE accessed.”