Qantas: Breach affects 6 million people, “significant” amount of data likely taken

Qantas: Breach affects 6 million people, "significant" amount of data likely taken

Australia’s largest airline Qantas has confirmed that cybercriminals have gained access to a third party customer servicing platform that contained 6 million customer service records.

Qantas says the breach occurred after a cybercriminal targeted a call centre and managed to gain access to the third party platform, presumably via social engineering.

The airline reassured customers by saying all Qantas systems remain secure, and that there would be “no impact to Qantas’ operations or the safety of the airline. However, Qantas anticipates that a large amount of data has been taken:

“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.”

An initial review has confirmed the data includes:

  • Customers’ names
  • Email addresses
  • Phone numbers
  • Birth dates
  • Frequent flyer numbers

Fortunately, credit card details, personal financial information and passport details were not held in the breached system.

The airline responded quickly by isolating the affected system, notifying customers, and working with the Australian Cyber Security Centre, the Australian Federal Police, and independent cybersecurity experts.

The breach at a third party provider is extra painful since Qantas concluded an uplift of third and fourth-party cyber-risk governance processes in 2024. In a report released at the time, the airline explained:

“Third- and fourth-party cyber risk involves managing cyber risks from our direct suppliers (third parties) and their suppliers (fourth parties), who can affect our supply chain directly or indirectly through cyber incidents.”

No group has claimed responsibility for the cyberattack yet, which is normal if it is a ransomware attack. But it’s noteable that this weekend the FBI put out a warning on social media about ransomware attacks targeting airlines.

Qantas: Breach affects 6 million people, "significant" amount of data likely taken 2

“The FBI has recently observed the cybercriminal group Scattered Spider expanding its targeting to include the airline sector. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts. They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.

Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims. Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise. If you suspect your organization has been targeted, please contact your local FBI office.”

Qantas has set up a dedicated customer support line as well as a web page to provide the latest information to customers. Qantas says it will also continue to update customers via its social channels.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.


Source link