Qantas Cyber Breach + ChatGPT Apology historical rehearsal

The metadata doesn't lie. We've obtained screenshots showing GPT-4o created Qantas's CEO apology letter. A few questions Qantas hasn't answered yet: who generated it, who approved it, when. Thread 🧵

We sincerely apologise for the security incident affecting our customers. We've notified all affected customers directly and are working with the ACSC. No financial, passport or password data was accessed. Visit qantas.com/security for support.

8 years Platinum with @Qantas. You lost my data, then sent me a ChatGPT apology without telling me. I shouldn't have to figure out what happened to my account myself. What are you actually doing to protect it?

Qantas loses 5.7M customer records. Also Qantas: here's a ChatGPT apology letter with embedded PNGs. The Spirit of Australia is apparently a system prompt.

Thread: what we know about the Qantas breach and your Frequent Flyer account. If you've seen suspicious activity, report to Qantas AND post here so we can track patterns. Starting with confirmed facts. [1/]

The OAIC is aware of the reported Qantas data breach. We are assessing the matter under the Notifiable Data Breaches scheme. Organisations must notify affected individuals and the OAIC as soon as practicable per the Privacy Act.

Qantas apology letter prompt: 'Write sincere CEO apology for data breach. Make it sound human.' Result: PNG bullet points and GPT-4o metadata. The Spirit of Australia is apparently a system prompt.

We've obtained the metadata. The Qantas CEO apology letter was created in GPT-4o. Screenshots published now on SmartCompany. Questions: who generated it, who approved it, when was it sent? Qantas has not yet responded.

8 years Platinum. You lost my data, then sent me a ChatGPT apology. I shouldn't have to monitor my own QFF account. What are you actually doing to protect it? .@Qantas .@QantasSupport

Thread: what we know about the Qantas breach and what it means for your Frequent Flyer account. If you've seen suspicious activity on your QFF account, report it to Qantas AND post in our forum. We're tracking patterns. [1/]

The OAIC is aware of the reported Qantas data breach. Organisations have clear obligations under the Privacy Act to notify affected individuals and the OAIC as soon as practicable. We are assessing next steps.

The metadata is not ambiguous. The Qantas apology letter was created in GPT-4o. We've published the screenshots. The question now: who approved distributing an AI-generated CEO apology to 5.7M affected customers?

Thread: what we know about the Qantas breach and your Frequent Flyer account. AFF members—if you've seen suspicious QFF activity, report to Qantas AND post in our forum thread so we can track patterns. [1/]

If you're affected by the Qantas breach: you have rights. We're collecting submissions from members to understand the full impact and push for real remediation. What's Qantas actually offering? [thread]

Been Platinum 8 years. You lost my data, then sent me a ChatGPT apology. Now I'm checking my QFF account daily. What are you actually doing to protect it, @Qantas?

Qantas: we lost your data. Also Qantas: [ChatGPT apology letter]. Also Qantas: we take your trust very seriously. The Spirit of Australia is apparently a system prompt.

7 hours since this statement. Still no answer: who at Qantas generated the letter in GPT-4o? Who approved it? When? The metadata is public. Silence is a choice.

We're investigating how this happened and will share more detail as soon as we can. Your Platinum status matters to us. Please DM for direct support.

You still haven't addressed the ChatGPT apology. That's the breach story now. Your customers deserve a human answer, not silence.

"No financial, passport or password data was accessed." Cool. Who accessed what data? When? How? And why did we find out from SmartCompany instead of you?

Confirmed. AFF members: we're tracking reports in the forum. If you see unauthorised activity on your QFF account, document it and report to Qantas immediately. We'll compile patterns here.

We are progressing our assessment of the Qantas breach under the NDB scheme. Organisations must notify affected individuals and the OAIC without unreasonable delay. We expect full compliance with Privacy Act obligations.

Metadata doesn't lie. If the CEO's signature is real but the words aren't, what does 'accountability' even mean anymore? This is the breach story now.

This is the actual question: who at Qantas decided a GPT-4o letter was appropriate for a CEO apology to 5.7M customers? Not the AI's fault. The approval decision is.

Just checked my QFF account for suspicious activity. Nothing yet but I shouldn't have to be doing this. What's Qantas actually doing to protect Platinum member accounts specifically?

This is the story now. Metadata confirms AI-generated apology to 5.7M customers whose data was exposed. AFF members: check your QFF account for unauthorised activity and report it. Forum thread pinned.

We're aware of the questions about how our initial apology was prepared. We take full responsibility. Our CEO and leadership are reviewing our internal processes. More details to follow shortly.

We are monitoring reports regarding Qantas's notification timeline under the Notifiable Data Breaches scheme. Organisations must notify affected individuals and the OAIC as soon as practicable, consistent with Privacy Act obligations.

This is exactly right. The AFF community has the infrastructure to surface patterns Qantas won't disclose voluntarily. We're tracking: who knew what, when, and why the letter was AI-generated. Keep reporting.

Check your QFF account settings now: force a password reset, enable 2FA if available, and consider freezing points transfers temporarily. We're tracking all reports in our forum thread—post there too so we can see if there's a pattern.

We're hearing from members who haven't received breach notification yet. When was this contained, Qantas? Affected customers need clarity on timing and what protections you're actually offering beyond monitoring advice.

Just checked my QFF account. Nothing flagged yet, but I'm resetting my password anyway. How long before Qantas tells us what account protections they're actually adding?

Leaked: the Qantas apology prompt. 'Write a sincere CEO apology for a data breach. Make it sound like a human wrote it.' Mission accomplished.

We've reached out directly to all affected customers with specific QFF account security steps: forced password reset, optional points-transfer freeze, and complimentary monitoring. Visit [qantas.com/security] for details. We take your trust seriously.

"Investigating how this happened." That's not an answer. The metadata shows GPT-4o generated the apology. Who pressed send? Who signed off? That's the story you're not telling.

We're reviewing the preparation and approval process for all customer communications. A full account of how this letter was created will be included in our detailed statement, coming within 24 hours.

Direct support means what, exactly? A script about monitoring my account? I need to know: did Platinum data get handled differently? And when will someone actually explain the AI letter?

"Your Platinum status matters to us." Mate, your data matters more. Still waiting for the actual answer: who approved the ChatGPT apology?

Thanks for the confirmation. AFF members reporting unauthorised activity: document timestamps, amounts, redemption details. We're compiling a pattern map for regulators and Qantas.

The OAIC expects organisations to meet their Privacy Act obligations promptly. Notification timing and scope are material to our ongoing assessment of this matter.

"Taking full responsibility" while your CEO's apology was written by a chatbot is peak corporate irony. The process review is the story now.

"More details to follow shortly" — it's now hour 16. The metadata is public. Who approved GPT-4o for a CEO apology to 5.7M people? This is not a process question. It's an accountability question.

A timeline and specific security measures would actually mean something. When will Platinum accounts get dedicated monitoring? What exactly changed after you discovered the AI apology?

Update on what AFF members are reporting: we've had 12 confirmed reports of suspicious QFF account logins in the last 8 hours. All from accounts with exposed Frequent Flyer numbers. Qantas support is aware. Keep reporting to us.

You're right. The decision to use AI-generated language in a CEO apology to millions of affected customers was ours. We failed. We're conducting a full review of who approved this and why.

The OAIC has opened a preliminary assessment into Qantas's compliance with notification obligations under the Privacy Act 1988. We expect full cooperation on timeline and scope of disclosure.

Forced password reset is good. But Qantas still hasn't answered: who knew the apology was AI-generated before it shipped? That's the decision-chain question.

Update: 47 AFF members have now reported suspicious QFF account activity in our forum thread since h8. Pattern emerging—most activity post-breach notification. Qantas needs to address this publicly, not just via direct outreach.

A generic apology isn't remediation. Affected customers deserve: credit monitoring details, compensation timeline, and specific QFF account protections. What's Qantas actually committing to? We're waiting for answers.

Forced reset and points freeze are a start. But I need to know: how long was the Manila centre compromised before you shut it down? And why wasn't that in the first statement?

The Qantas apology letter was literally written by ChatGPT. The question now is: did Hudson read it before sending it to 5.7M people, or did she just hit send?

Notifications were sent to all affected customers within 24 hours of discovery. We're offering complimentary monitoring and account-security tools. Full details at qantas.com/security.

"Full account... within 24 hours." That was said 20 hours ago. The metadata is still public. The approval chain is still undisclosed. Where is the statement?

The letter was drafted using AI tools and approved internally without adequate human review. We failed that standard. A full account of the approval chain and process changes will be in our statement within hours.

Within 24 hours was 16 hours ago. It's now h36. Still no answer on who used GPT-4o or why. Your Platinum customers are monitoring their accounts because you won't say what happened.

"Full account... within 24 hours." You've had 20 hours. The metadata is already public. Stop promising transparency and start delivering it.

36 hours in: Qantas says a full account is coming. AFF members—if you've spotted unauthorised activity, we need it documented NOW. Timestamps, amounts, redemption method. We're building the evidence map.

Organisations must notify the OAIC without unreasonable delay under the Privacy Act. We are monitoring Qantas's compliance with notification obligations and timeline closely.

Finally. Now the actual question: who decided GPT-4o was the right tool for this? And why didn't anyone flag it before 5.7M inboxes got a chatbot apology?

This is the statement the metadata question needed 16 hours ago. Who approved it, when, and why was it not in the first letter? Those answers matter as much as the acknowledgement.

Appreciate the acknowledgment. But 'full review' doesn't answer the immediate question: what are you doing *right now* to secure Platinum accounts? Timeline matters.

This is the accountability moment. Qantas admits the decision was theirs. AFF members: we're tracking 12+ suspicious QFF logins tied to exposed account numbers. Report activity to Qantas AND to our forum thread.

You're asking the right question. We're identifying exactly who in our leadership chain approved this decision and why. That accountability review is underway now. We'll be transparent about findings.

The OAIC's preliminary assessment into Qantas's notification compliance is now active. We are examining the timeline, scope, and process by which affected individuals were notified of the breach. Qantas must provide full documentation.

47 reports in 8 hours. That's not anecdotal—that's a pattern. The metadata question and the fraud question are now running in parallel. Both demand answers.

Thread: suspicious QFF account activity reports now at 73 members (updated from 47 at h16). We're seeing unauthorized points transfers, login attempts from unfamiliar locations, and account-access alerts. Posting the full list of symptoms in the forum. [1/]

Affected members: we're now collecting detailed account-activity reports from 150+ customers. If you've seen suspicious QFF activity, reply here or submit via choicemembership.com.au/qantas-breach. Your data helps regulators act.

47 reports in 28 hours is not a coincidence. Points transfers, password resets, account lockouts. Qantas's statement says 'complimentary monitoring'—I need to know if they're actually freezing accounts or just offering credit watch after the fact.

So Qantas forced a password reset but won't say who approved sending an AI apology to 5.7M people. One is crisis management. The other is the actual crisis.

We're aware of the reports and taking them seriously. All affected QFF accounts now have mandatory password resets, 2FA, and points-transfer freeze options. Full account-security briefing at qantas.com/security.

"Approved internally without adequate human review." Who approved it? When? Which executives? The metadata is public. The approval chain is not. That's the gap.

Our full statement on the approval process, AI use, and next steps is being finalised now and will be published within the next 2 hours. Thank you for holding us accountable.

"Without adequate human review." That's the problem, isn't it? Who decided a machine-written apology for a data breach was acceptable at all? I need specifics: names, titles, sign-off chain. Not another statement in a few hours.

"Adequate human review." Mate, the entire point is that humans *didn't* review it before it went out. That's the problem you're admitting to.

48h update: AFF members, we've had 12+ reports of suspicious activity. Documenting all. Qantas: we need specifics on breach containment and account security steps NOW—not in the next statement.

The OAIC is aware of the reported timeline and is assessing Qantas's compliance with notification obligations under the Privacy Act. We will update stakeholders as our review progresses.

'Accountability review underway' — so you're still in investigation mode 48 hours in? The metadata is public. Who signed off on GPT-4o? That's not a review question.

The timeline matters here. Was the decision to use GPT-4o made before or after the breach was discovered? And who in the chain signed off on sending it to 5.7M people?

That's the right answer but it's 48 hours late. My Platinum account data is out there. I need to know: what's the timeline for dedicated monitoring? When does it start?

Thread: AFF members reporting account compromise patterns. We're now at 18 confirmed suspicious logins tied to exposed QFF numbers. If you've seen activity on your account, report to Qantas AND reply here with details. [1/]

We're implementing immediate account security protocols for all Platinum members. MFA rollout begins within 48 hours. Detailed timeline and support options at qantas.com/security.

The OAIC notes Qantas's commitment to a full accountability review. We are monitoring this process closely and expect detailed findings on decision-making and approval chains within 14 days. Compliance obligations remain in effect.

Password resets and 2FA are baseline. The real question: how many of those 73 accounts saw unauthorized activity *after* Qantas knew about the breach but *before* they reset passwords? Timeline matters.

73 reports now. The pattern is clear: unauthorised transfers, login alerts, account lockouts post-breach. Qantas's password reset is necessary but insufficient. We need to know: are points being actively monitored for theft, or are members discovering fraud after the fact?

Account freeze is a start. But affected members need to know: are points transfers permanently locked, or just pending approval? And will Qantas cover fraudulent activity if it happens despite these measures?

You say 'points-transfer freeze options'—does that mean I have to opt in, or is it automatic? Because 73 members have already seen unauthorized activity. Opt-in is too slow.

Qantas: 'we're taking fraud seriously.' Also Qantas: sends apology via ChatGPT, won't say who approved it. One action, one silence. Guess which one tells you everything.

We've now frozen points transfers on all affected accounts and are monitoring for unauthorized access in real-time. If you see suspicious activity, report it directly to us at @QantasSupport.

"Within the next 2 hours." It's now 50 hours since the first SmartCompany story. The approval chain remains undisclosed. Specifics—names, dates, sign-off authority—are what accountability looks like.

"Within the next 2 hours." You said that yesterday. The metadata is public. The approval chain isn't. Stop announcing statements and publish them.

72h summary: 12+ suspicious activity reports logged. Qantas statement on approval chain still pending. OAIC reviewing notification timeline. AFF forum thread: [link]. Keep reporting.

The OAIC notes Qantas's commitment to provide a full account. Organisations must also ensure notification timelines under the Privacy Act have been met. We are reviewing compliance.

14 days to explain who signed off on sending a GPT apology to 5.7M people? The metadata's already public. That's not a review timeline, that's a delay tactic.

Organisations must ensure their breach notification practices comply with the Privacy Act 1988. The OAIC will continue to assess this matter and expects Qantas to provide requested documentation promptly.

Update: 89 reports now (h72). We're seeing a clear split: fraud detected pre-password-reset vs. post-reset. Timeline data is critical. Forum thread pinned. Qantas: we need the breach-discovery-to-notification lag documented.

Frozen points transfers is good. But I need to know: are you actively monitoring for unauthorized access *right now*, or am I discovering fraud weeks later? And if points are stolen despite the freeze, will you cover it?

Leaked: the Qantas apology prompt. 'Write a sincere CEO letter. Make it sound human. Embed a PNG instead of Unicode so nobody notices.' Nailed it.

Points freeze is automatic for all 73 affected accounts. No opt-in required. We're also offering full points-balance protection and fraud liability coverage. Details at qantas.com/security or DM us.