Qantas has confirmed a significant cyberattack affecting the personal data of up to six million customers, marking one of Australia’s most serious data breaches in recent years and delivering a fresh blow to the airline’s reputation.
The breach, which targeted a third-party customer service platform used by a call centre, exposed names, email addresses, phone numbers, dates of birth and frequent flyer numbers, the airline said in a statement.
Qantas has not disclosed the geographical location of the compromised call centre or the nationalities of those affected. The airline said the breach was discovered after it identified unusual activity on the platform and moved swiftly to contain the incident.
“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” the airline said. It added that there had been no impact on flight operations or safety.
Dray Agha, senior manager of security operations at Huntress, said: “This breach proves attackers target suppliers like contact centres to reach big brands.
“Qantas customers’ data was stolen through a single employee’s unauthorised login at an external provider.
“Every company must enforce strict security rules for partners with access to their systems, including having mature security solutions with detection and response capabilities.”
Javvad Malik, lead security awareness advocate at KnowBe4, added: “The real danger lies in what criminals can do with this data.
“With names, phone numbers, and frequent flyer details, attackers can now craft convincing phone scams, posing as Qantas representatives to extract more valuable information from unsuspecting customers.
“There are two key lessons from this incident. Firstly, that supply chain security needs to have the same focus as internal systems.
“Secondly, that people need to remain sceptical of unsolicited contact. Even if the caller sounds genuine and has personal information, legitimate organisations will never request information, payment, or MFA codes over the phone.”
Part of a Wider Cybercrime Trend
The breach comes amid growing concern about cyberattacks on global airlines. Last week, the US Federal Bureau of Investigation warned that cybercrime group Scattered Spider had been actively targeting carriers. Hawaiian Airlines and Canada’s WestJet have already reported security incidents.
While Qantas did not name any specific group responsible for the breach, cybersecurity experts say the method matches known tactics used by Scattered Spider — a group known for impersonating IT staff to trick employees into revealing credentials.
“This trend is particularly alarming due to its scale and coordination,” said Mark Thomas, Australia Director of Security Services at cyber defence firm Arctic Wolf. “With fresh reports that Qantas is the latest victim, it is plausible the group is executing a similar playbook.”
Reputational Setback
The breach comes as Qantas attempts to rebuild trust following a turbulent period marked by customer service complaints and legal scrutiny over its pandemic-era flight policies. The airline has been under pressure to restore its public image and had begun to see early signs of recovery.
The data breach is now likely to intensify scrutiny of Qantas’s digital infrastructure and raise questions about the security of third-party platforms used by airlines.
