Australia’s national airline, Qantas, today confirmed a significant cyber attack that has resulted in the unauthorised access of personal data belonging to approximately six million customer accounts. The breach, detected on Monday, involved a third-party platform used by a Qantas contact centre.
In a statement, Qantas assured the public that its core systems remain secure and that flight operations and safety have not been impacted. However, the compromised data includes customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers. Crucially, the airline stated that sensitive financial information such as credit card details, personal financial information, and passport details were not stored on the affected system and therefore have not been compromised. Similarly, frequent flyer accounts themselves, passwords, PIN numbers, or login credentials were not accessed.
Qantas Group Chief Executive Officer Vanessa Hudson issued an apology to customers, acknowledging the concern and uncertainty the incident would cause. “Our customers trust us with their personal information, and we take that responsibility seriously,” Hudson stated, adding that the airline is actively contacting affected customers to provide support and information.
The airline took immediate steps to contain the breach upon detection and has since implemented additional security measures to restrict access and enhance system monitoring. The Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police have all been notified, and independent cybersecurity experts are assisting with the ongoing investigation.
This incident marks another high-profile cyberattack in Australia, following major breaches at Optus and Medibank in 2022, which collectively impacted millions of Australians. The FBI recently issued a warning about the “Scattered Spider” cybercriminal group expanding its targeting to include the airline sector, and experts suggest this attack bears hallmarks of their methods, which often involve social engineering to gain access to third-party systems.
While Qantas continues to investigate the full extent of the data stolen, the sheer volume of affected accounts underscores the persistent and evolving threat of cybercrime. Customers are advised to remain vigilant for phishing attempts and suspicious communications and to refer to official Qantas channels for updates and support.
