Australia’s flagship carrier Qantas revealed a significant cybersecurity incident compromising the personal data of approximately six million customers, Reuters reported.
The breach occurred when a hacker infiltrated a third-party customer service platform used by a Qantas call centre, accessing names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The airline confirmed it detected unusual platform activity and “acted immediately to contain” the intrusion, though operational systems and flight safety remain unaffected.
Qantas did not identify the call centre’s location or specify affected customers but warned:
We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.
The incident aligns with recent warnings from the US Federal Bureau of Investigation regarding cybercrime group Scattered Spider targeting airlines. Security experts noted Hawaiian Airlines and Canada’s WestJet reported similar breaches last week.
Mark Thomas, Australia director for Arctic Wolf, highlighted the attack’s alarming coordination. Charles Carmakal of Mandiant advised global airlines to heighten vigilance against social engineering attacks, though attribution remains unconfirmed. Qantas shares fell 2.4% following the announcement, underperforming the broader market’s 0.8% gain.
The breach compounds challenges for Qantas as it seeks to rebuild public trust following pandemic-era controversies. The airline faces scrutiny over its 2020 illegal sacking of ground staff while receiving government stimulus, and admitted selling tickets for cancelled flights.
It also drew political criticism for allegedly lobbying against Qatar Airways’ bid for additional flights, a move Australia’s competition regulator said reduced price competition. CEO Vanessa Hudson, who has steadied the airline’s reputation since 2023, acknowledged customer concerns:
We recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously.
Qantas confirmed passwords, PINs, and financial data were not accessed and has notified Australian cybersecurity authorities.
