Qantas has confirmed a significant cyber-attack that has potentially exposed the records of up to six million customers. The Australian airline announced that the affected system, a third-party platform utilised by its contact centre, has now been contained and its wider systems secured.
The compromised data includes customer names, email addresses, phone numbers, birth dates and frequent flyer numbers. Qantas has assured that credit card details, financial information, passport details, frequent flyer account access (passwords, PINs, or login details) were not compromised in the incident.
Unusual activity on the platform was first detected by Qantas on Monday, prompting immediate containment measures. The airline is currently assessing the exact volume of data stolen but anticipates it to be “significant.”
In an updated statement issued to customers, Qantas clarified that the cybercriminal “targeted a call centre and gained access to a third-party customer servicing platform.” While the identity of the attacker remains unknown, the tactics employed are believed to bear similarities to the Scattered Spider ransomware group, which has previously targeted airlines and retail businesses in the US.
Aviation industry under attack
Spencer Starkey, Executive VP EMEA of leading cybersecurity firm SonicWall, who has long-spoken about large-scale cyberattacks on industry and national infrastructure, said:
“Given the volume of personally identifiable information that aviation companies hold they face a multitude of serious cybersecurity threats. These range from phishing attacks and ransomware, to data breaches, insider threats, and advanced persistent threats. Firms should also be wary of DDoS attacks, vulnerabilities in third-party software, and the risks posed by a lack of security awareness among employees.
It is not a matter of if, but when these institutions are attacked. As such, a robust series of security measures and regular training for staff on best practices is crucial to ensure data is safeguarded. Many organisations are still securing yesterday’s infrastructure against yesterday’s threats. The vulnerabilities being exposed today, from Active Directory misconfigurations to poorly implemented MFA, reveal that many companies lack the agility and investment needed to defend against modern, identity-based attacks. This isn’t just a technology gap; it’s a leadership and culture gap too.”
Cybercrime presents huge risk to travellers
William Wright, CEO of Closed Door Security, said: “Cyberattacks on airlines are some of the most dangerous that can ever occur, not only is highly confidential data belonging to citizens all across the world at risk, but there is also a risk they can have an operational impact which can, in the very worst cases, affect aircraft.
“Fortunately, based on the information available at present, this attack only seems to have impacted data and Qantas is working on containment and restricting further access to systems.
“Given this attack was executed via Qantas’s contact centre, it does bare all the hallmarks of Scattered Spider. This collective of criminals often target victims via third party service providers, using social engineering and trying to convince victims to initiate password resets. Once successful, they then gain access to systems, syphon data and send out a ransom demand.
“All organisations must be on high alert for these attacks, especially given the volume of victims we are seeing today. Organisations must implement processes to validate the authenticity of password reset requests, such as running a double-verification process, where no single person has the authority to initiate one.
“Customers of Qantas must also be on high alert for phishing. These emails could be designed to look like genuine communications in relation to the incident but are actually aimed at tricking recipients into handing out their personal or financial information. It is therefore essential that customers take note of this threat and treat all communications around the incident with caution.
“Avoid clicking on links and attachments from unknown senders and always check the address where an email is coming from. The best way to keep updated on information around the incident is to visit the Qantas website and monitor for official statements.”
Australia continues to be a target as cybercrime escalates
Cyberattacks continue to escalate in Australia. In April, superannuation funds experienced hacks affecting a small number of customers, resulting in over A$500,000 being stolen from their accounts.
Further highlighting this trend, the Office of the Australian Information Commissioner reported in May that the number of data breaches under the mandatory notification scheme increased by 25% in 2024 compared to 2023.
Specifically, the report covering 1 July to 31 December 2024 documented 595 data breaches in the second half of the year. This brought the total reported breaches for 2024 to 1,113, a 25% increase from 893 in 2023.
During this six-month period, health providers reported the highest number of breaches (121), followed by government entities (100), the finance sector (54), legal and accounting firms (36), and retail businesses (34).
The report also indicated that 69% of these data breaches were a result of malicious or criminal attacks. Phishing, involving the use of compromised credentials to access data, was the most prevalent method, accounting for 34% of such incidents. Ransomware followed as the second most common, at 24%.
While the majority of reported breaches affected fewer than 5,000 individuals, two incidents were noted to have impacted between 500,000 and 1 million people. The personal information most frequently compromised in these breaches included contact details, identification information, or financial and health records.
Also commenting, Juliette Hudson, CTO, CybaVerse, said: “It is commendable how quickly Qantas has come out about this breach, especially given attack activity was only detected a few days ago. This suggests the organisation has monitoring in place, enabling it to detect malicious activity quickly, but unfortunately data does still seem to have been accessed. At this stage, Qantas will be running forensics to understand the true scope of the impact of this incident.”
She added: “It also seems unlikely it will pay any ransomware demands. Critical organisations, like Qantas, are required to report all ransom payments, so paying could negatively impact the organisation’s image, especially given the payment could easily be made public.”
