Australia’s Qantas says 6 million customer accounts accessed in cyber hack

A cyber hacker infiltrated a database holding the personal details of millions of customers, Qantas (QAN.AX) stated, marking Australia’s largest data breach in years and a setback for an airline attempting to restore trust following a reputational crisis.

Qantas stated on Wednesday that the hacker attacked a call centre and accessed a third-party customer service platform that held six million names, email addresses, phone numbers, birth dates, and frequent flyer numbers. The airline did not disclose the location of the call center or the customers whose data was breached. It stated that it discovered the breach upon noticing irregular activity on the platform and took swift action to address it. The airline did not disclose the location of the call center or the customers whose data was affected. It reported that it discovered the breach after noticing atypical activity on the platform and took swift action to limit it. The U.S. Federal Bureau of Investigation announced last week that the cybercrime organization Scattered Spider had been attacking airlines, with Hawaiian Airlines (HAII.UL) and Canada’s WestJet already reporting security breaches. Qantas did not identify any group.

“What makes this trend particularly alarming is its scale and coordination, with fresh reports that Qantas is the latest victim” of a hack, said Mark Thomas, Australia director of security services for cyber security firm Arctic Wolf.

Scattered Spider hackers are known to impersonate a company’s tech staff to gain employee passwords and “it is plausible they are executing a similar playbook”, Thomas said.

Charles Carmakal, chief technology officer of Mandiant, a cybersecurity firm owned by Alphabet, stated that it’s premature to determine if Scattered Spider was accountable but “global airline organizations must remain vigilant against social engineering attacks.”

Qantas’ stock price fell by 2.4% in afternoon trading, while the broader market rose by 0.8%. The incident marks Australia’s most notable breach since those involving telecommunications operator Optus and health insurance giant Medibank (MPL.AX) in 2022, which triggered cyber resilience regulations that require mandatory reporting of compliance and incidents. This situation adds negative scrutiny to Qantas, which is attempting to regain public trust after its actions during and following the COVID-19 pandemic caused it to fall in airline and brand rankings.

Qantas was determined to have unlawfully terminated thousands of ground employees during the 2020 border shutdown while receiving government aid funds. It also acknowledged selling numerous tickets for flights that had been cancelled.

The airline faced criticism from opposition politicians who claimed it pressured the federal government in 2022 to deny a request from Qatar Airways to increase flight sales. Qantas rejected claims of pressuring the government, which ultimately denied the request—a decision that the consumer regulator stated harmed price competition.

Qantas CEO Vanessa Hudson has enhanced the airline’s public image since her appointment in 2023, according to reputation metrics. Qantas reported that it informed the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police.

ACSC chose not to provide a comment, while AFP stated merely that it was informed about the incident. The OAIC was not readily available for a response. The airline stated that the hacker did not gain access to frequent flyer accounts or any customer passwords, PINs, or login information.