Qantas Data Breach: Up to 6 Million Customers’ Personal Info Exposed in Third-Party Contact Centre Attack
Australian airline Qantas has suffered a significant cybersecurity incident after malicious actors gained access to a third-party platform containing customer data, the company announced on Monday evening.
Qantas, the nation’s largest carrier—operating both domestic and international flights across six continents and employing approximately 24,000 people—confirmed that the breach was swiftly contained. However, it has already been established that a substantial amount of customer information was compromised.
According to company representatives, the incident began when unknown individuals targeted Qantas’s contact center and, through it, infiltrated a third-party service platform used for customer engagement.
Preliminary analysis indicates that the attackers obtained personal information belonging to millions of customers. Among the data exposed were names, email addresses, phone numbers, dates of birth, and Frequent Flyer membership numbers. Crucially, no payment data, passwords, PINs, or login credentials were compromised.
The airline clarified that the affected platform contains records on six million customers. At present, cybersecurity experts are still assessing the full extent of the data leak.
Immediately upon detecting the breach, Qantas reported the incident to the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Federal Police. There has been no official confirmation yet regarding the involvement of external cybersecurity firms.
Notably, the attack occurred amid growing warnings from cybersecurity experts about heightened activity from the hacker collective known as Scattered Spider, which has increasingly targeted the aviation and transportation sectors. While there is no definitive evidence linking the group to the Qantas incident, several indicators suggest similarities with their known modus operandi.
Scattered Spider—also identified as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra—is infamous for its use of social engineering and credential theft to breach the networks of large corporations. The group employs phishing, SIM-swapping, multi-factor authentication bypass, and support center impersonation to infiltrate systems.
In September 2023, the group made headlines after compromising MGM Resorts’ network and encrypting over a hundred VMware ESXi hypervisors using the BlackCat ransomware. Scattered Spider is also known to collaborate with other notorious collectives such as RansomHub, Qilin, and DragonForce.
Previous victims of the group include high-profile entities such as Twilio, Coinbase, DoorDash, MGM Resorts, Caesars Entertainment, MailChimp, Riot Games, and Reddit.
Experts have observed a shift in the group’s focus—from retail and insurance companies to the aviation industry. Hawaiian Airlines and WestJet were recently hit by similar attacks. In the case of WestJet, the attackers exploited a vulnerability in the password self-recovery system to gain access to an employee account and, subsequently, the company’s internal infrastructure.
Security analysts emphasize that the group’s operations are systematic, often targeting one industry at a time. It remains uncertain whether their campaign against the aviation sector has concluded or if further incidents should be anticipated.
To defend against such threats, companies are urged to maintain rigorous visibility and control over their IT infrastructure, identity management systems, and mission-critical services. Special attention should be paid to the security of password recovery mechanisms, support centers, and third-party providers, which frequently serve as weak links in the cybersecurity chain.