Airplane at dusk with control tower showing data breach due to contact center

Qantas Data Breach: Third-Party Contact Center Platform That Stored Six Million Customer Records Hacked

Qantas, one of Australia’s largest airlines and the only carrier in the world to offer flights to all seven continents, has disclosed a data breach involving a third-party contact center that could impact up to six million customers.

The company began contacting potentially impacted customers to make them aware of the data breach on June 30. The breach is still under investigation and it is not yet clear exactly how many people are impacted, but the contact center stored a range of personal contact information along with frequent flyer numbers. Qantas has assured customers that payment and authentication information was not accessed.

Data breach continues extended string of high-profile attacks in Australia

The breach appears to be isolated to a third-party contact center that Qantas uses for customer service queries. The airline says that unusual activity was detected on June 30, leading to discovery of the data breach and “immediate” actions to contain it.

The investigation remains ongoing, but Qantas describes the quantity of stolen data as “significant.” The airline says that potentially impacted customers do not have to worry about personal or passport identification numbers, financial information or account credentials being exposed, as the contact center does not appear to have access to that level of information. But it was in possession of customer frequent flyer numbers tied to contact information such as full names, email addresses and phone numbers associated with Qantas rewards accounts, and birth dates.

Up to six million customers might be impacted by the data breach, but an exact number is not yet available. Those that might be impacted are being individually contacted by Qantas, and the airline has also set up a dedicated phone support number for any customers that have questions. The Australian Federal Police have been involved and the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC) have been notified of the incident.

Australia has been struggling with an extended string of high-profile data breaches involving millions of records for years now, something that has prompted several revisions of national data privacy law to address the issue. Thus far in 2025, major fund manager AustralianSuper and leading newspaper publisher Nine Media have both suffered data breaches that involved third-party contractors, these look to be much smaller in scale than the Qantas breach. The OAIC recently published statistics indicating that 2024 was Australia’s worst year on record for data breaches, with over 1,110 reported (for a 23% increase from the prior year) and 69% of these involving some sort of malicious or criminal attack.

No direct link as of yet between contact center and “Scattered Spider” campaign

There will naturally be speculation given that the FBI very recently issued a warning that prolific hacking group Scattered Spider is focusing its attention on airlines, but thus far there is nothing solid linking the contact center attack to the threat actors. The group compromised Hawaiian Airlines and Canada’s WestJet in June, though it appears in both cases that serious damage was avoided and there is not yet any word of a data breach. The FBI has nevertheless warned that the entire “airline ecosystem” should be on high alert for attempts from the group, which specializes in social engineering of help desks and SIM swaps to intercept 2FA methods.

The data taken from the Qantas contact center does not appear to provide the thieves with a direct link to account logins or financial fraud, but the pairing of names with birth dates is always concerning. These types of data breaches are almost always followed by a wave of phishing attempts on at least some of the victims, with the most likely target in this case being access to Qantas frequent flyer accounts. With the account numbers and surnames in hand, attackers will then only need the user PIN to gain access (unless Qantas subsequently makes changes to the login process). Guessing based on birth dates, publicly available information or even information from other data breaches may prove sufficient without a phishing attempt. Gift cards are listed as an option for redeeming Qantas points, and those are highly targeted by profit-motivated hackers as an easy means of transferring funds internationally.

And though there is not yet a proven link between Scattered Spider and the contact center data breach, airlines and their assorted vendors and contractors should remain wary of the group’s activity. The Google Threat Intelligence Group recently published a guide to improving defenses against the group’s known tactics.

Haris Pylarinos, Founder and CEO of Hack The Box, notes that a breach on just one vendor could spiral into compromise of multiple airlines: ”The aviation sector, with its complex network of third-party suppliers and contractors, presents an attractive target. If just one weak link is compromised, the ripple effects could be massive. Proactive security requires organisations to go beyond basic awareness. Security teams must be trained to recognise the tactics attackers use. It is not just about having the right tools, it is about building the right skills to detect and respond before attackers can infiltrate critical systems.”

Charles Carmakal, CTO, Mandiant Consulting – Google Cloud, notes that there are other threat groups that may have decided to target the sector: “While Scattered Spider has a history of targeting global organizations including those in Australia, it’s too early to tell if they’ve expanded their current targeting to Australian airline organizations. Various threat actors use telephone-based social engineering to compromise organizations, including a financially-motivated threat actor we call UNC6040. Organizations that proactively train their help desk staff on robust identity verification processes and implement phishing-resistant MFA are best equipped to thwart these types of attacks. Global airline organizations should be on high alert of social engineering attacks and increase the identity verification rigor of their help desks.”

David Stuart, Cybersecurity Evangelist for Sentra, adds: “Data blindness can take many forms and shapes. The recent Qantas breach reminds us of this.  While organizations have both a reason and obligation to protect all customer data, often only the most sensitive data is secured. In the Qantas case, it appears that passports, credit cards, and other very sensitive data were not impacted. However, general customer PII was (names, email addresses, frequent flyer numbers, etc.), and it is feared that 6 million records were disclosed. While PII ranges in sensitivity, when combined, it can still be revealing and enable impersonation, fraud, bias, or account takeover. However, tighter controls on all data may be intrusive, ineffective or too costly. Monitoring data activity for unusual patterns (new accesses, permission changes, exfiltration, etc.) by data log monitoring is one method that has proven to provide early warning to such threats. Organizations must also be acutely aware of where their data resides — and its risk levels — so they can be proactive, not just reactive.”