Adam Thorn reports:
Qantas has obtained a court injunction to prevent any person or organisation from publishing the customer information stolen in its recent hack.
The airline called the ruling of the NSW Supreme Court an “important next course of action” but also reiterated that there is still “no evidence” that any data had been released into the public domain.
The incident reportedly involved cyber criminals using AI to impersonate a Qantas employee and then tricking a customer service operator in Manila into divulging crucial information.
While no group has claimed responsibility, reports suggest that a hacking collective known as Scattered Spider may be behind the attack.
Read more at CyberDaily.au.
Related: Judge will stay on Qantas case despite being ‘caught up’ in the airline’s major data breach
Comment on Injunctions
The type of data involved in the Qantas incident reportedly varies from person to person, but includes business and residential addresses of 1.3 million accounts, phone numbers attached to 900,000 accounts, and dates of birth connected to 1.1 million accounts. The majority of the compromised records included customer records limited to the names, addresses, and Frequent Flyer details of customers.
Is an injunction to prevent any leakage of such data truly warranted? To censor the press from reporting for these types of data does not seem warranted at all.
The reality is that criminals who would leak the data or sell it via the internet generally don’t give a damn about any court injunctions and will leak it anyway. The only ones who are then really affected by injunctions or superinjunctions are media outlets who would want to report on the situation to inform the public and members of the public who might be affected by a breach but not know about it if the entity has not been transparent in any disclosure.
Censoring the media without valid justification is unconscionable and to the detriment of society.
Neither injunctions nor superinjunctions issued in secret hearings where the press is not even represented should be used for routine data breach situations that involve some amount of personal information unless it is highly sensitive personal information or information that puts lives or national security at risk.