Qantas Airways said Wednesday that the personal records of up to 6 million customers were accessed in a cyberattack, marking one of Australia's most significant data breaches to date and heightening scrutiny over third-party cybersecurity risks in the aviation industry.
The breach occurred through a third-party customer servicing platform used by a Qantas call center. The compromised data includes names, birthdates, email addresses, phone numbers, and frequent flyer numbers. The airline said that no passwords, credit card information, or passport details were stored on the affected system.
"We sincerely apologize to our customers and we recognize the uncertainty this will cause," Qantas CEO Vanessa Hudson stated. "Our customers trust us with their personal information and we take that responsibility seriously."
Qantas first detected unusual activity on the system Monday and moved quickly to contain the breach. The airline said the platform has since been secured, and there has been no disruption to flight operations or safety. The breach has been reported to the Australian Cyber Security Centre, the Australian Federal Police, and the Office of the Australian Information Commissioner. Independent cybersecurity experts have also been enlisted to investigate.
While the airline has yet to confirm the exact amount of data stolen, it warned that the volume is expected to be "significant." The incident sent Qantas shares down 3.5% in morning trading on the Australian Securities Exchange, underperforming a broader market gain of 0.4%.
Officials have not publicly confirmed the identity of the attackers. However, cybersecurity analysts say the methods resemble those used by the hacking collective known as Scattered Spider, a group composed of native English-speaking cybercriminals from countries such as the U.S., U.K., and Canada. The FBI has recently warned that Scattered Spider is actively targeting the aviation industry, using social engineering to bypass security measures and deploy ransomware.
"They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk," the FBI said in a recent alert.
Australia has seen a sharp rise in cyber incidents in recent years. The Office of the Australian Information Commissioner reported that there were 1,113 data breaches in 2024-an increase of 25% from 2023. Malicious attacks accounted for 69% of breaches in the latter half of 2024, with phishing responsible for 34% and ransomware for 24%.
Cybersecurity Minister Tony Burke, while declining to name the group behind the Qantas breach, acknowledged the challenges companies face when reliant on third-party vendors. "The reality is with these networks, they'll go where they can find vulnerability," Burke said on ABC's Afternoon Briefing.
Qantas has set up a dedicated customer support line and webpage to assist affected customers and provide updates. The airline emphasized that frequent flyer accounts and login credentials remain secure, and that the primary risk stems from exposure of personal contact data.
