Qantas cyber‑attack exposes data of up to six million customers

Qantas was hit by a “significant” cyber‑attack that breached a third-party call‑centre system in the Philippines, compromising the personal details of up to six million customers.

What Was Breached

• Personal Data: Customer records included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.

• No Financial or Sensitive Data: Qantas confirmed that credit card numbers, bank details, and passport data were not stored in the affected system. Additionally, no frequent‑flyer account passwords, PINs, or login credentials were compromised.

How It Happened

• Call‑Centre Breach: The attack infiltrated a third‑party platform supporting Qantas’s customer service operations.

• Likely Culprit – Scattered Spider: Though Qantas has not officially identified the perpetrators, the attack mirrors tactics used by the Scattered Spider group (UNC3944), known for social‑engineering via vishing to bypass multi‑factor authentication. The FBI previously warned that this group is increasingly targeting airlines, including Hawaiian and WestJet.

Qantas’s Response

• Immediate Containment: The system was isolated promptly upon detection, and Qantas says “all core systems remain secure” with no effect on flight operations or safety.

• Official Apology & Support: CEO Vanessa Hudson apologized and initiated outreach via email, phone, and a dedicated helpline (1800 971 541) to guide customers.

• Active Investigations: The airline is working with the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, AFP, independent cybersecurity specialists, and the FBI.

Risks & Impacts

• Data Repurposing Risk: While no direct financial data was stolen, exposed personal information can fuel identity theft, phishing, and social‑engineering scams.

• Industry Trend: This is among a wider wave of cyber‑attacks hitting Australian companies—following high-profile breaches at Optus, Medibank, and more recently Hawaiian Airlines and WestJet.

Recommended Steps for Customers

1. Assume you’ve been affected, even if not yet contacted.

2. Change your passwords immediately, especially if reused.

3. Activate two‑factor authentication (2FA) on critical accounts like email and banking.

4. Be vigilant, verifying any call, email, or SMS claiming to be from Qantas.

5. Monitor your accounts and consider dark‑web scanning or identity protection services.

 Final Take

This breach marks one of Australia’s most significant airline data incidents in recent years. While immediate financial systems are safe, the stolen personal information poses a serious long‑term risk. Qantas has contained the incident and is supporting affected customers, but vigilance remains critical—especially in the face of sophisticated threats like those posed by Scattered Spider.