Qantas Confirms Major Data Breach Linked to Third-Party Vendor

Qantas has confirmed a data breach after attackers gained access through a third-party call centre platform, affecting millions of frequent flyers just as the airline industry heads into its busiest season.

The breach was discovered on July 1 2025 when the airline’s cybersecurity team flagged suspicious activity on systems run by an external contact centre provider. Initial estimates, as per Qantas’ press release, indicate that records for up to six million customers may have been exposed, including names, email addresses, phone numbers, dates of birth and frequent flyer numbers. Qantas says no financial data, passwords or passports were affected.

While the company contained the breach quickly, cybersecurity analysts warn this attack fits a pattern that has hit multiple airlines in recent weeks. Security firms and US federal agencies are pointing to the hacking group known as Scattered Spider, which is suspected to be behind similar incidents targeting Hawaiian Airlines and WestJet last month.

These attackers specialise in social engineering tactics that trick customer service staff and vendors into handing over access to internal systems. Scattered Spider has been blamed for several high-profile cyber attacks recently, including the ones on Victoria’s Secret, M&S, Co-op and MGM Resorts in September 2023.

Threat Against Airlines

Airlines are prime targets for cybercriminals because they handle massive amounts of personal data, tight schedules and global operations. Qantas says its core systems remain secure and that the compromised platform was isolated and investigated with help from external experts.

Jordan Avnaim, CISO at Entrust, says social engineering attacks are advancing fast, driven by deepfakes and highly convincing impersonation scams. He notes that supply chain vulnerabilities are a favoured entry point for criminals seeking access to bigger networks.

“With the busy summer travel season underway, it’s not surprising to see attackers zero in on the travel and aviation sector, where they can disrupt operations and shake customer trust. Protecting against this threat calls for more than just perimeter security. It means keeping employees trained, applying Zero Trust principles, using strong authentication that can’t be tricked, and having identity checks that stand up to social engineering. This is not just an IT problem, it needs ongoing investment and board-level commitment to prepare for incidents and respond fast when they happen,” Avnaim says.

Qantas is working with the Australian Cyber Security Centre and privacy regulators. Affected customers will be contacted directly. The airline recommends passengers stay alert for phishing emails pretending to be from Qantas and reminds them never to share passwords or payment details by email or phone.