Qantas has confirmed a significant data breach, attributed to unauthorized access through a third-party contact center platform, impacting millions of its frequent flyers as the airline industry approaches its peak travel season.
The breach was detected on July 1, 2025, when Qantas’ cybersecurity team identified unusual activity on systems maintained by an external service provider. Preliminary assessments indicate that the personal information of up to six million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers, may have been compromised. Fortunately, Qantas has stated that no financial information, passwords, or passport details were involved in the breach.
While the airline managed to contain the situation swiftly, cybersecurity experts have noted that this incident aligns with a worrying trend of similar attacks against various airlines in recent weeks. Reports from security firms and U.S. federal agencies have linked these breaches to the hacking group known as Scattered Spider, which is suspected of orchestrating recent attacks on Hawaiian Airlines and WestJet.
Scattered Spider is known for employing social engineering techniques that deceive customer service personnel and vendors into granting unauthorized access to confidential systems. This group has been associated with a series of high-profile cyber incidents, including breaches of notable brands like Victoria’s Secret, M&S, Co-op, and MGM Resorts in September 2023.
Emerging Threats to Airlines
Airlines are particularly attractive targets for cybercriminals, given their extensive handling of sensitive personal data and operational complexities on a global scale. Qantas assured that its core systems remain secure, and the affected platform has been isolated for a thorough investigation with external cybersecurity experts.
Jordan Avnaim, Chief Information Security Officer at Entrust, highlighted the rapid evolution of social engineering attacks, which are increasingly enhanced by deepfakes and sophisticated impersonation schemes. He pointed out that vulnerabilities within supply chains are commonly exploited by attackers aiming to infiltrate larger networks.
Against the backdrop of the bustling summer travel season, Avnaim stressed that such cyber threats are likely to intensify. He emphasized that safeguarding against these risks necessitates a comprehensive approach, encompassing ongoing employee training, the implementation of Zero Trust principles, robust authentication measures, and identity verification processes that can withstand social engineering efforts. Addressing these vulnerabilities requires a commitment that spans beyond IT departments to include organizational leadership and a substantial investment in cybersecurity preparedness.
Currently, Qantas is collaborating with the Australian Cyber Security Centre and privacy regulators to manage the fallout from the breach. Affected individuals will receive direct communication from the airline. As a precaution, Qantas urges all passengers to be vigilant against phishing attempts that may impersonate the airline and to avoid sharing sensitive information such as passwords or payment details through email or phone communications.
