Qantas says large amount of customer data stolen in cyberattack on call center

Australian carrier Qantas said hackers who breached one of its call centers stole a significant quantity of customer data.

The airline said on its website that it detected unusual activity on Monday on a third-party platform that one of its call centers used. The airline took immediate action and was able to contain the attack, which it blamed on a criminal hacker.

Qantas said it is investigating the extent of the intrusion but warned that the hackers accessed a “significant” amount of customer data, including names, addresses, phone numbers, dates of birth and frequent-flyer numbers. 

The breach did not compromise any credit card details, personal financial information or passport information, Qantas said, because those are stored in a separate system. The intrusion also did not expect login information for customers’ frequent-flyer accounts.

Qantas said it was working with government authorities, including the Australian Cyber Security Centre and the National Cyber Security Coordinator, as well as independent forensic experts to investigate the breach.

All of Qantas’ systems are now secure and the airline is operating normally, according to the company. It said it was in the process of contacting customers to alert them to the incident. 

Qantas Group, which includes Qantas and Jetstar, carried more than 28 million passengers, according to a first-half report. Qantas Loyalty reached 17 million members. 

The attack occurred days after the FBI confirmed that the hacker gang known as Scattered Spider had shifted its focus toward the aviation industry. Scattered Spider had been targeting retail companies in the U.K. and the U.S. since May before shifting toward insurance and then toward the airline sector in late June. 

U.S. carrier Hawaiian Airlines recently confirmed that it was the target of a cyberattack, although it did not attribute the breach to any specific group. American Airlines also experienced an unspecified IT outage last week, although it remains unclear if a hack was to blame.

Scattered Spider is known for its social-engineering tactics, including voice phishing and other tactics designed to trick call-center workers into handing over credentials or otherwise bypassing multifactor authentication. But security researchers cautioned that other hackers are using the same techniques.

“While Scattered Spider has a history of targeting global organizations including those in Australia, it’s too early to tell if they’ve expanded their current targeting to Australian airline organizations,” Charles Carmakal, chief technology officer at Mandiant, said in a statement. “Various threat actors use telephone-based social engineering to compromise organizations, including a financially-motivated threat actor we call UNC6040.”

Early last month, Google Threat Intelligence Group said that group has been using voice phishing techniques to compromise Salesforce accounts, steal data and engage in extortion attacks. 

Google believes that UNC6040 is associated with the hacker group dubbed The Com, which itself has links to Scattered Spider.