Qantas is warning millions of customers that their personal data could be exposed after a cyber attack hit a third-party platform used by one of its offshore contact centers.
Here’s everything we know about the breach so far.
How did the breach happen?
Qantas says it detected unusual activity on the affected third-party system earlier this week and moved quickly to contain it—but not before a cybercriminal gained access and stole what the airline describes as a “significant” amount of data…that of six million customers.
An initial review has confirmed that the stolen data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers.
The airline says no credit card details or banking information were exposed, and credentials for frequent flyer accounts were not compromised. Still, the personal data that was stolen can be highly valuable on the dark web.
With the right personal details, threat actors can launch convincing phishing and social engineering attacks. A name, a phone number, and a frequent flyer number might sound harmless—but in the wrong hands, that’s more than enough to build a believable scam designed to steal even more sensitive information.
A pattern of activity
The Qantas breach comes as cybersecurity researchers warn that a hacking group known as “Scattered Spider” has begun targeting the aviation and transport sectors.
The group is known for using social engineering tactics to infiltrate corporate systems. These include phishing campaigns, MFA fatigue attacks and even impersonating staff in calls to help desks—all with the aim of harvesting employee credentials and bypassing security controls.
There’s no confirmation yet that Scattered Spider was behind the Qantas incident. But the breach bears hallmarks of the group’s past activity. The same hackers are believed to have been involved in recent attacks on Hawaiian Airlines and WestJet, raising concerns that the industry could be facing a highly sophisticated hacking campaign.
Lessons learned
While specific details about how the attack unfolded remain unclear, the breach points to a growing vulnerability across companies: as digital ecosystems expand—especially those involving third-party vendors and offshore service providers—so does the attack surface.
The fact that a breach of this scale impacted Australia’s national airline serves as a wake-up call. Cyber resilience can no longer stop at the perimeter. Organisations need to look beyond their own networks and harden the entire supply chain.
Here are the key takeaways:
- Cyber resilience must extend beyond internal systems: A breach at a partner can quickly become your problem. That means assessing the entire digital supply chain, not just your in-house defences.
- Frameworks like ISO27001 matter more than ever: Clear security standards and governance structures provide a baseline for vendor risk management—and help ensure that everyone in the ecosystem knows their role when it comes to protecting data.
- Traditional DLP doesn’t cut it in modern environments: With data constantly moving across SaaS platforms and third-party tools, static, perimeter-based controls can’t keep up.
- Runtime security tools like Polymer can close the gap: Polymer is built to detect and prevent sensitive data exposure across cloud apps, chat platforms, and external vendors—offering real-time protection even when data leaves your core environment.