Qantas has confirmed a cyber incident affecting a third-party platform used by one of its call centres. The breach exposed the personal data of frequent flyer members and other customers. It has now been contained.
In a statement, the airline said it had launched an investigation after noticing strange activity on its customer service system, which is operated by an external provider.
“There is no impact to Qantas’ operations or the safety of the airline,” the company said.
The breach was detected 30 June. While the exact scale has not been determined, early indications suggest a large portion of the 6 million customer records held in the platform may have been compromised.
Exposed data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
“Importantly, credit card details, personal financial information, and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed,” the company said.
Qantas said it took “immediate steps” to isolate the system. “While we conduct the investigation, we are putting additional security measures in place to further restrict access and strengthen system monitoring and detection.”
Customers impacted by the breach are being contacted directly. The airline has apologised and is offering identity protection advice and support through a dedicated customer service line.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson. “Our customers trust us with their personal information and we take that responsibility seriously.”
Working With Law Enforcement
Hudson added that Qantas is working closely with national authorities. “We have notified the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues. We will continue to support these agencies as the investigation continues.”
The government’s National Cyber Security Coordinator has also been briefed, and independent specialised cyber security experts have been brought on board.
Airlines Under Fire
The incident adds Qantas to a growing list of airlines and transportation companies targeted by bad actors recently. Hawaiian Airlines, WestJet, and others have all found themseves in the crosshairs recently.
In addition, has published guidelines to help entities protect against attacks by the notorius Scattered Spider group.
Customers with upcoming travel plans, need take no action. Flights are unaffected, and booking details can still be accessed via the Qantas app or website.
A dedicated information page is now live on qantas.com, and the airline says it will keep customers informed as the investigation continues.
The Hallmarks of Scattered Spider
Toby Lewis, Global Head of Threat Analysis at Darktrace, said Qantas’ cyber breach bears the hallmarks of Scattered Spider, the same group behind the recent attacks mentioned, as well as a slew of retailers, including Marks & Spencer and The Co-op.
“The attack follows their typical playbook: steal legitimate login credentials to walk into systems where critical security protections often aren’t enabled by default, while operating from Western countries to appear as legitimate users and bypass standard security filters.”
Lewis says we an expect the stolen customer data – names, emails, birthdates, frequent flyer numbers – to fuel convincing phishing campaigns targeting loyalty programs and tricking customers with fake payment requests using real booking details.
Third-Party Exposure
Kobi Nissan, Co-Founder & CEO at MineOS, added that this latest incident highlights a growing blind spot in enterprise risk: third-party exposure. “A company can invest heavily in its own internal security, but if its vendors fall short, customer data is still at risk.”
Nissan says this wasn’t just a technical failure, it reflects a breakdown in governance. “Enterprises must have continuous visibility into who has access to their customer data, what platforms are being used, and how that access is secured. One-time assessments or signed policies are not enough. Businesses need living, ongoing intelligence about their third-party ecosystem.”
This is also a critical moment for leadership, NIssan added. “Trust is not something you announce, it is something you operationalize. Every vendor you bring into your environment becomes part of your brand promise. If you can’t verify how they manage data, you can’t promise your customers that it’s protected.”
Weaker Points in the Supply Chain
The Qantas breach came through a third-party contact center platform, said Chad Cragle, Chief Information Security Officer at Deepwatch. “That’s what makes it so concerning. The attackers didn’t need to compromise Qantas’ systems; they found a weaker point in the supply chain and used it to access sensitive data, including names, emails, phone numbers, birthdates, and frequent flyer numbers, for potentially millions of customers.”
Cragle added that this aligns with what we’ve seen from Scattered Spider. “They rely on social engineering, MFA fatigue & SIM swapping, credential harvesting, and targeting service desks or outsourced support platforms. Their attacks focus on trust-based systems and human processes, rather than firewalls and servers.”
The timing isn’t a coincidence, Cragle explained. “With July 4 travel in full swing, attackers recognize that data tied to loyalty programs or travel plans is valuable, providing them with leverage without requiring access to core infrastructure.”
Cragle stressed that a company’s security is only as strong as its weakest vendor. “From a customer’s perspective, the safest approach is to assume compromise. Reset your passwords and PINs, monitor your accounts, and take action now. Security isn’t about reacting to headlines; it’s about staying ahead of them.”
A Wakeup Call for CISOs Everywhere
John Watters, Executive Chairman at Apollo Information Systems, said what we’re seeing is further evidence that AI-enabled adversaries are leveraging AI tools to conduct rapid reconnaissance of a company and/or common operating models of a specific industry in order to construct rapid, bespoke, attack methodologies in days and weeks. “This used to take months and years.”
Watters adds that the rapid adoption of AI by Scattered Spider and other groups has created a new and novel threat to organizations and industries. “Given their ability to create what is, in effect, a zero-day TTP for a specific company/industry in a rapid development cycles should be a wakeup call for CISOs everywhere. CISOs can no longer rely on traditional cyber intelligence approaches documenting the population of actors, TTP, and IOC reporting on what has been seen before. We’re at the dawn of a new age where the majority of what we’re going to see is AI-generated and brand new.”
Security Fundamentals Are Key
Andy Bennett, Chief Information Security Officer at Apollo Information Systems, commented: “I’m not surprised to hear that Scattered Spider is moving into the transportation industry. This probably represents a natural progression in their targeting model because the transportation sector has a massive client base and is highly regulated.”
Bennett said the FBI recently warned the insurance industry as well and they are probably being targeted for similar reasons. “To comply with regulations, transportation providers hold and track a ton of data about the travelers who use their services. Scattered Spider could use the type of data held by airlines to build very complete profiles of millions of individuals, including details on their families and relationships if any travel or booking histories were included in the stolen information, that could then be used to calibrate future social engineering attacks (one of the things Scattered Spider is known for) very precisely and effectively.”
This type of incident highlights the need to always be vigilant and to ensure additional controls are in place, Bennett added. “Security fundamentals such as authenticator or token-based multifactor authentication (MFA), and not reusing passwords between systems, can go a long way in ensuring that individuals and organizations whose information is stolen in attacks such as this are not victimized in follow-on attacks. Unfortunately, there is no technical silver bullet that will solve this problem. People and processes are both the point of entry and the last line of defense.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.