Cybercriminals breached a third-party contact centre platform used by Qantas Airways, exposing the personal data of approximately 6 million customers in what security experts believe bears the hallmarks of the Scattered Spider ransomware group. The airline identified the breach on June 30, 2025, after detecting unusual activity on the external platform, which contained names, email addresses, phone numbers, birth dates, and frequent flyer numbers.
The attack targeted personally identifiable information exclusively, leaving credit card details, financial information, passport data, passwords, and PINs uncompromised. Security analysts indicate that Scattered Spider, known for targeting aviation and retail companies, likely employed “MFA bombing” and SIM swapping tactics to exploit vulnerabilities in IT helpdesk operations. These sophisticated social engineering techniques permitted attackers to circumvent security measures without accessing Qantas’ core infrastructure. Modern digital skimmers can compromise sensitive customer records with just 22 lines of malicious code during online transactions.
Sophisticated social engineering tactics allowed cybercriminals to bypass security measures while avoiding Qantas’ core infrastructure systems.
Qantas implemented rapid containment measures following identification and reported the incident to the Australian Cyber Security Centre, Office of the Australian Information Commissioner, and Australian Federal Police. The company established a dedicated customer support line and information page as well as collaborating with independent cybersecurity experts to assess the breach’s full scope. Chief Executive Vanessa Hudson confirmed that an ongoing investigation is being conducted to determine the full extent of the security breach.
Despite reassurances that account passwords and financial details remain secure, the exposed data creates significant risks for affected customers. Cybersecurity experts warn that stolen information facilitates phishing attacks, social engineering schemes, and identity theft attempts. Frequent flyer numbers could lead to loyalty fraud or targeted scams exploiting customers’ travel histories and preferences. The breach follows a concerning trend with 595 breaches recorded in Australia during the second half of 2024 alone.
The incident highlights critical vulnerabilities in third-party vendor security management, demonstrating how external platforms can become entry points for sophisticated cybercriminal groups. Aviation companies represent high-value targets because of extensive customer databases and valuable personal information.
Customers should monitor frequent flyer accounts for unusual activity and remain vigilant against phishing emails or unsolicited calls referencing their exposed personal data. Security experts recommend activating two-factor authentication where available and updating security settings across all accounts.
The breach emphasizes the evolving threat environment facing major organizations, where attackers increasingly target weaker links in extended IT ecosystems rather than directly confronting primary security infrastructure.
