Qantas Airways has launched an investigation into a significant data breach involving a third-party customer service platform, which may have exposed personal information of up to six million people.
The Australian airline detected “unusual activity” on June 30 on the platform used by its contact centre to manage customer data. The compromised information includes names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
Upon discovery, Qantas says it took immediate steps to contain the breach and secure the system. While the full scale of the incident is still being assessed, the company warned that the amount of data accessed is expected to be “significant.”
Crucially, Qantas confirmed that no passport details, credit card information, personal financial data, or frequent flyer passwords and PINs were stored in the affected system.
“We sincerely apologise to our customers and recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson, adding that the airline has established a dedicated support line for affected customers. She assured the public that the breach has no impact on flight operations or airline safety.
The incident has been reported to the Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner (OAIC).
The breach comes amid growing concerns over cyber threats in the aviation sector. The FBI recently warned that criminal group “Scattered Spider” is actively targeting airlines, with recent attacks reported on Hawaiian Airlines and Canada’s WestJet. The group is also linked to cyber assaults on major UK retailers, including Marks & Spencer.
This latest breach adds to a troubling trend in Australia. In March, the OAIC reported that 2024 was the worst year on record for data breaches in the country. Other high-profile victims this year include AustralianSuper and Nine Media.
Australian Privacy Commissioner Carly Kind has urged businesses and government bodies to enhance cyber defenses, warning that the risk posed by malicious actors remains high across both private and public sectors.
