The clock’s ticking for Qantas on ransom deadline, but does it matter?

The clock is ticking for Qantas and 39 other companies as the cybercrime supergroup called the Trinity of Chaos inches closer to delivering on their threat of releasing the customer information of the companies into the dark web.

On Thursday the criminals added Telstra to the list – although the veracity of the hack on Telstra is in doubt, given the telco says the information the hackers say they have collected has come from public sources rather than a cyber breach.

Of the 40 victim companies in the extortion claim, almost all of them have plenty of customers. There are several international airlines and myriad consumer brands including Adidas, Asics, Toyota, Walgreens, Chanel, Gucci and IKEA. Even Google Adsense made the list.

In the case of Qantas we know compromised data included names, email addresses, phone numbers, birthdates and frequent flyer numbers. That dataset includes the home addresses and phone numbers of several high-office holders, as pointed out by Australia’s top cyber cop, cybersecurity co-ordinator Lieutenant General Michelle McGuinness, at Senate estimates on Wednesday.

The information stolen from the other companies on the list reportedly includes similar information plus, in some cases, what customers have been buying.

Qantas and the rest were targeted because they all use software provided by US technology giant Salesforce to manage their relationships with customers – whether it’s selling stuff to them, marketing new deals or answering their queries.

The hackers impersonated Salesforce and then used pretty unsophisticated means to get access to data inside these 40 companies. While they didn’t break into Salesforce’s internal systems, the hackers posed as legitimate employees of the company and called the IT helpdesks of the 40 companies, convincing unsuspecting staff there to grant them access.

The note consequently sent by the cybercriminals to Salesforce – a snapshot of which was contained on the website of cybersecurity company Fortra – reads: “Contact us to negotiate this ransom or all yr customers data will be leaked: If we come to a resolution all individual extortions against your customers will widhawn” (sic).

And, just to be certain, the hackers have also attempted to extort the individual companies. Salesforce has told the thieves to get lost, and we know that Qantas has refused to pay them as well.

So as far this heist goes, it strikes me that the cyberthieves are in a pretty poor negotiating position, which may explain why they are making so much noise this week.

There’s chatter that the hacks may have been perpetrated a few years ago, which suggests that the hackers have been unsuccessfully threatening catastrophe for quite some time. The criminals may have reportedly also reduced the amount they have been trying to extort, mainly due to their demands being ignored.

Paying ransoms to hackers is frowned upon in the corporate world, and companies are now additionally disinclined to pay up, given the type of information hackers usually pinch isn’t particularly sensitive for the average person.

Of course, in Qantas’ case, some of its VIP frequent flyer customers include senior politicians, corporate executives and members of the judiciary, who like to keep their details quiet. But for just about everyone else, email addresses, phone numbers and birthdates are not state secrets.

We hand them to supermarkets, real estate agents, energy retailers, phone companies and ride-sharing/food delivery companies like Uber. That’s for starters, and it begs the question, just how worried should we be now that the dark web contains our personal information and which type of sneaker we bought?

In the Medibank Private data breach the sensitive data stolen included information on medical conditions and passport details. That ended up in one of the servers of Russian hackers located in an industrial town on the West Siberian Plain, three hours’ drive from the Kazakhstan border.

But even armed with this information the Medibank Private hackers were unsuccessful in their attempts at extortion.

So a lot of the data being pilfered by the hackers is starting to lose its value in the market, mainly because a lot of that information is either already out there or it can’t be weaponised as much as it could have been in the past. That’s a blow to the business model of the hackers and is almost certain to make them go after bigger, more lucrative prizes.

That’s why complacency is the last thing we need when it comes to companies, and each of us individually, doing our best to stay safe on the internet. Getting your bank details stolen is definitely a cause for alarm. And the psychological impact of breaches being discovered can be very disturbing.

As for corporates, the stakes are even higher. Just ask Optus.

The Market Recap newsletter is a wrap of the day’s trading. Get it each weekday afternoon.