Low-code, no-code AI is the future. Don’t fall behind.

Download whitepaper

Polymer

Download free DLP for AI whitepaper

Summary

  • A cyber attack on a third-party vendor exposed the personal data of six million Qantas customers.
  • Stolen data includes names, emails, phone numbers, dates of birth, and frequent flyer numbers.
  • No financial data or login credentials were compromised, but the stolen PII is still highly valuable for phishing and identity scams.
  • The attack mirrors tactics used by Scattered Spider, a hacking group that’s recently targeted a string of airliners.
  • The breach highlights that third-party platforms are becoming major vulnerabilities.
  • Key lesson: Cyber resilience must extend to your entire supply chain.

Qantas is warning millions of customers that their personal data could be exposed after a cyber attack hit a third-party platform used by one of its offshore contact centers.

Here’s everything we know about the breach so far. 

How did the breach happen? 

Qantas says it detected unusual activity on the affected third-party system earlier this week and moved quickly to contain it—but not before a cybercriminal gained access and stole what the airline describes as a “significant” amount of data…that of six million customers. 

An initial review has confirmed that the stolen data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.

The airline says no credit card details or banking information were exposed, and credentials for frequent flyer accounts were not compromised. Still, the personal data that was stolen can be highly valuable on the dark web.

With the right personal details, threat actors can launch convincing phishing and social engineering attacks. A name, a phone number, and a frequent flyer number might sound harmless—but in the wrong hands, that’s more than enough to build a believable scam designed to steal even more sensitive information.

A pattern of activity 

The Qantas breach comes as cybersecurity researchers warn that a hacking group known as “Scattered Spider” has begun targeting the aviation and transport sectors.

The group is known for using social engineering tactics to infiltrate corporate systems. These include phishing campaigns, MFA fatigue attacks and even impersonating staff in calls to help desks—all with the aim of harvesting employee credentials and bypassing security controls.

There’s no confirmation yet that Scattered Spider was behind the Qantas incident. But the breach bears hallmarks of the group’s past activity. The same hackers are believed to have been involved in recent attacks on Hawaiian Airlines and WestJet, raising concerns that the industry could be facing a highly sophisticated hacking campaign.

Lessons learned

While specific details about how the attack unfolded remain unclear, the breach points to a growing vulnerability across companies: as digital ecosystems expand—especially those involving third-party vendors and offshore service providers—so does the attack surface.

The fact that a breach of this scale impacted Australia’s national airline serves as a wake-up call. Cyber resilience can no longer stop at the perimeter. Organisations need to look beyond their own networks and harden the entire supply chain. 

Here are the key takeaways: 

  • Cyber resilience must extend beyond internal systems: A breach at a partner can quickly become your problem. That means assessing the entire digital supply chain, not just your in-house defences.
  • Frameworks like ISO27001 matter more than ever: Clear security standards and governance structures provide a baseline for vendor risk management—and help ensure that everyone in the ecosystem knows their role when it comes to protecting data.
  • Traditional DLP doesn’t cut it in modern environments: With data constantly moving across SaaS platforms and third-party tools, static, perimeter-based controls can’t keep up.
  • Runtime security tools like Polymer can close the gap: Polymer is built to detect and prevent sensitive data exposure across cloud apps, chat platforms, and external vendors—offering real-time protection even when data leaves your core environment.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.