A significant data breach at Qantas, Australia's largest airline, has compromised the personal information of approximately 5.7 million customers. The breach occurred through a third-party call center platform, exploiting vulnerabilities in the system.

Scope of the Breach

The cyberattack, detected in late June 2025, led to the theft of a variety of customer data. For about 4 million customers, the compromised information was limited to their names, email addresses, and Qantas Frequent Flyer details. However, for the remaining 1.7 million customers, the breach included more sensitive information such as residential and business addresses, dates of birth, phone numbers, genders, and even meal preferences.

Qantas has clarified that no credit card details, financial information, passport details, passwords, or PINs were compromised during the attack. The airline is currently notifying affected customers about the specific data types that were exposed in the breach.

How the Attack Happened

The attackers gained access to the Qantas customer data through a third-party call center platform. Investigations suggest that the cybercriminals used social engineering and impersonation techniques to bypass security measures and gain unauthorized access. By targeting a third-party vendor, the attackers were able to exploit weaker identity verification processes and access a large volume of sensitive customer data.

Scattered Spider

The tactics employed in the Qantas breach bear similarities to those used by a cybercriminal group known as Scattered Spider. This group is known for targeting large organizations and their IT help desks, using social engineering, credential theft, and other methods to gain access to sensitive data. Scattered Spider has been linked to attacks on various companies across different sectors, including retail, insurance, and aviation. The group often uses voice-based social engineering tactics to trick help desk staff into granting access or disabling multi-factor authentication. The FBI had previously issued warnings about Scattered Spider's focus on the airline industry.

Extortion Attempts and Investigation

Qantas has confirmed that it is being extorted by the cybercriminals behind the data breach. The airline has engaged the Australian Federal Police (AFP) and is working with cybersecurity experts to investigate the incident. Qantas is also collaborating with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).

Impact and Response

The data breach has raised concerns about cybersecurity across the aviation sector and its network of third-party suppliers. The incident highlights the importance of robust third-party risk management and the need for businesses to extend their security measures across their entire vendor network.

Qantas is urging customers to be vigilant against scams and phishing emails that may attempt to use the stolen data to steal further sensitive information. The airline is also implementing additional cybersecurity measures to protect customer data and is reviewing its security protocols.

The Qantas data breach serves as a reminder of the evolving cyber threat landscape and the importance of proactive cybersecurity measures, especially concerning third-party vendors.