- Qantas says a cybercriminal has made contact after a breach involving frequent flyer data from up to 6 million customers.
- The airline is working with police and cybersecurity teams to investigate.
Qantas says someone claiming to be behind a recent data breach has reached out to the airline, following an attack that may have exposed the personal details of up to 6 million customers.
In a statement, a Qantas spokesperson said the airline is working to confirm the legitimacy of the contact. The matter has been referred to the Australian Federal Police (AFP), but the company declined to say if a ransom was involved.
“There is no evidence that any personal data stolen from Qantas has been released,” the spokesperson said. “With the support of specialist cybersecurity experts, we continue to actively monitor.”
The AFP also confirmed it is investigating and will provide more information at a later stage. “The airline has been highly engaged in assisting authorities and the AFP with investigating this incident,” it said.
The breach, which occurred on July 2, targeted a third-party system connected to a Qantas call centre. The data potentially accessed includes customer names, email addresses, phone numbers, and dates of birth. The airline says it shut down the suspicious activity quickly, but a significant amount of data may have been taken.
Qantas added that no credit card, financial, or passport information was involved, and login credentials, such as passwords or PINs, were not accessed. Frequent flyer accounts were also unaffected.
The identity of the attacker remains unknown. However, the tactics used match those of a group known as Scattered Spider, which has previously been linked to attacks on other large companies, including UK retailer Marks & Spencer.
Unlike many cybercrime groups based in Russia or Eastern Europe, Scattered Spider is believed to include native English speakers. This has allowed the group to use voice-based social engineering tactics—sometimes called “vishing”—to bypass security systems.
These attacks often involve calling a company’s IT support, posing as employees or contractors to trick help desk staff into granting access or turning off multi-factor authentication.
“Native English authenticity can sometimes lead to an automatic sense of trust. There is a level of perceived familiarity that might cause personnel or even IT teams to lower their guard slightly,” said Nathaniel Jones, vice-president of threat research at Darktrace, highlighted by The Guardian.
In recent months, Scattered Spider has reportedly targeted US airlines using these same tactics.
Social engineering attacks are becoming more common in Australia. The Office of the Australian Information Commissioner (OAIC) reported that nearly a third of all malicious or criminal data breaches in the second half of last year were linked to social engineering. Government agencies were hit particularly hard, accounting for 60 of the 115 reported incidents—up 46% from the previous period.
Google has also flagged similar tactics in recent threat reports, pointing to a rise in impersonation-based attacks across multiple sectors.
The Qantas breach adds to a growing list of cyberattacks that have affected major Australian organisations. Optus, one of the country’s top telecom providers, was hit by a breach that exposed personal information from millions of customers. Medibank, a major health insurer, suffered an attack that resulted in medical data being leaked online.
There have also been concerns about the security of Australia’s retirement savings system after cybercriminals targeted the $4 trillion superannuation sector.
These incidents have put more pressure on companies and regulators to strengthen their cybersecurity practices. While many firms are investing in new tools, recent breaches suggest that basic controls—like verifying internal access requests and monitoring third-party systems—still fall short.
