Qantas Cyberattack Exposes Data of 6 Million Passengers

In early July 2025, Qantas Airways confirmed a significant cyber incident involving unauthorized access to a third-party customer service platform used by its contact centers. While core airline systems remain unaffected, the breach exposed personal data belonging to approximately 6 million customers. Early analysis suggests a social engineering vector may have been used, potentially involving tactics employed by the Scattered Spider threat group. No passwords or financial data were accessed, but identity data was exposed.

Severity Level: High

Incident Overview

• Discovery: Qantas detected “unusual activity” on a third-party platform on Monday, 30 June 2025
• Containment: The affected system was immediately isolated; no other Qantas systems were compromised
• Systems involved: A platform used by a Manila based contact centre, managed by a third-party vendor

How The Breach Happened

• Attack method: Qantas attributes the compromise to a social engineering “vishing” attack, where attackers impersonated legitimate staff to manipulate a call centre employee into granting access
• Threat actor: FBI alerts link such attacks to Scattered Spider, a group known for targeting airlines and third party providers using advanced social engineering tactics

Data Exposed

• Affected PII includes: Customer names, Email addresses, Phone numbers, Dates of birth, Frequent Flyer numbers
• Not compromised: Credit card details, Passport numbers, Frequent Flyer login credentials (PINs, passwords)

Root Cause

• Third-party dependency: Qantas’s outsourced contact centre was targeted via social engineering.
• Insufficient vendor governance: Though Qantas had frameworks for third and fourth party risks, this exploit shows that in-person training and identity verification.
• Weak defense against voice phishing: Helpdesk procedures were bypassed via impersonation over the phone. Despite MFA, attackers exploited human trust.

Lessons Learned

• Outsourced contact centers, especially offshore, must be treated as critical extensions of your organization’s security posture. Conduct regular risk assessments, enforce minimum cybersecurity controls in contracts, and monitor third-party environments like internal ones.
• Sophisticated vishing (voice phishing) can trick even trained staff and bypass technical safeguards like MFA. Invest in role-specific social engineering training and simulate vishing attacks periodically for both internal and third-party staff.
• Voice-based identity requests are highly exploitable by attackers impersonating insiders. Enforce strict callback, passphrase, or token-based identity verification for any high-privilege access request over phone or email.

Recommendations

1. Implement strict vendor security assessments and periodic audits, especially for outsourced contact centers and service providers.
2. Enforce contractual requirements for minimum cybersecurity hygiene, including MFA, endpoint protection, incident response protocols, and breach notification timelines.
3. Maintain an updated vendor risk register, including fourth-party dependencies.
4. Train all internal and external (vendor) staff to recognize and respond to vishing, impersonation, and social engineering techniques.
5. Avoid storing excessive customer data in third-party environments. Only the minimum required PII should be accessible.
6. Qantas customers can contact their dedicated support line on 1800 971 541 or +61 2 8028 0534 and get access to specialist identity protection advice and resources through this team.
7. If customers do receive any suspicious emails, text messages or calls from someone purporting to be Qantas you can report to their dedicated support line, Scamwatch or contact local authorities.

Source:

• https://www.malwarebytes.com/blog/news/2025/07/qantas-breach-affects-6-million-people-significant-amount-of-data-likely-taken
• https://www.qantasnewsroom.com.au/media-releases/qantas-cyber-incident/
• https://www.qantasnewsroom.com.au/media-releases/update-on-qantas-cyber-incident/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.