Qantas Airways has revealed that a cyberattack targeting a third-party customer service platform has compromised the personal details of about six million customers.
The incident, described by the airline as a major data breach, affects names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
The breach did not impact flight operations or safety systems, but it represents one of the largest cybersecurity incidents in Australia’s recent history.
The company said it detected “unusual activity” on the external platform and acted immediately to secure the system.
The attack was directed at a call centre database hosted by a third-party provider.
Qantas did not disclose the name or location of the call centre or offer details on which customers were affected geographically.
The airline confirmed that login credentials, passwords, and PINs were not accessed in the breach.
FBI alerts global airlines as attacks escalate
The incident comes just days after the US Federal Bureau of Investigation issued a public warning that the cybercrime group Scattered Spider had been targeting airlines.
Hawaiian Airlines and Canada’s WestJet have also reported breaches linked to this threat actor.
While Qantas did not attribute the breach to any group, the FBI’s recent advisory raised the likelihood of coordinated, sector-wide attacks.
The breach has prompted increased scrutiny of security measures across the aviation industry, with cybercrime posing growing risks to customer data and corporate infrastructure alike.
Regulator and police notified as probe continues
Qantas confirmed that it has reported the breach to the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and the Australian Federal Police (AFP).
The airline is currently assessing the full scope of the breach, warning that it is expected to be “significant.”
The OAIC had not issued a statement at the time of reporting. Investigations are still underway to determine the full scope and nature of the breach.
The airline’s CEO, Vanessa Hudson, acknowledged the severity of the situation and its potential impact on public trust.
She said the airline takes the responsibility of handling personal data seriously and is working to minimise uncertainty for affected customers.
Qantas has not stated whether it will offer identity protection or compensation to impacted individuals.
Share price falls as trust rebuilding efforts take a hit
Qantas shares fell by 2.4% in afternoon trading on Wednesday, underperforming the broader market that was up by 0.8%.
The cyberattack adds pressure on the airline, which has spent over a year rebuilding its reputation following a series of controversies.
The carrier had previously faced public criticism for illegally dismissing thousands of ground workers during the 2020 border closure while receiving government stimulus payments.
It also came under fire for selling tickets for flights that had already been cancelled and was embroiled in a 2022 lobbying row after the government denied Qatar Airways additional landing rights—an outcome that the competition regulator said reduced price competitiveness.
Since assuming leadership in 2023, Hudson has improved Qantas’ public image.
However, this latest cybersecurity incident threatens to undo recent progress, especially as customers grapple with the implications of their data being exposed.
Qantas said it will continue cooperating with authorities and provide further updates as more information becomes available.
The post 6 million Qantas customers hit in one of Australia’s biggest data breaches appeared first on Invezz
