Largest Data Breach in Australia in Years
Qantas has suffered a major cyberattack, marking Australia’s biggest data breach in years. The airline confirmed on Wednesday that a hacker broke into a third-party customer service platform, gaining access to the personal information of around six million customers. The stolen data includes names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
The airline detected unusual activity on the platform and acted immediately to contain the breach. Qantas did not reveal the location of the targeted call centre or specify which customers were affected. “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” Qantas said. The breach has not impacted flight operations or safety.
Links to Wider Airline Cyber Attacks
This attack follows a warning from the U.S. Federal Bureau of Investigation last week that the cybercrime group Scattered Spider has been targeting airlines, with Hawaiian Airlines and Canada’s WestJet also reporting breaches. While Qantas did not name the group responsible, experts believe the hacking trend is becoming more coordinated.
Mark Thomas, Australia director for Arctic Wolf, said the trend is “alarming in its scale and coordination.” Charles Carmakal from cybersecurity firm Mandiant noted that although it is too soon to confirm Scattered Spider’s involvement, airlines worldwide should remain on high alert for social engineering attacks.
Qantas’ share price fell 2.4% following the breach, while the broader market rose 0.8%.
Reputational Challenge for Qantas
The breach draws unwelcome attention to Qantas as it works to rebuild public trust after previous controversies. The airline faced criticism for actions during and after the COVID-19 pandemic, including the illegal sacking of thousands of ground staff and selling tickets for flights that had already been cancelled.
Qantas CEO Vanessa Hudson, who took office in 2023, has made progress in restoring the airline’s reputation. Acknowledging the breach, she said, “We recognise the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously.”
Qantas confirmed that customer passwords, PIN numbers, and login details were not accessed in the breach. The airline has notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police, who have acknowledged awareness of the incident.
with inputs from Reuters
