Australia’s largest data breach in years: Qantas hack exposes 6m customer details

A significant hacking attack on Qantas has exposed millions of customer details; the aviation industry is warned that this won't be the last.

The Qantas hack exposed millions of customer details

Australian airline Qantas has become the latest victim of a significant data breach. The Qantas hack exposed the data of an estimated six million customers, including names, emails, phone numbers, birth dates and frequent flyer numbers.

Qantas identified the hack on 30 June, and today, Wednesday 2 July, said the affected system had been contained and was now secure.

Qantas CEO Vanessa Hudson confirmed that the airline has brought in independent cybersecurity specialists to lead a thorough investigation into the incident.

A dedicated customer support line has been established, along with a webpage on the Qantas website, to keep affected customers informed as the investigation develops.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” Hudson said. “Our customers trust us with their personal information and we take that responsibility seriously.”

Qantas hack aircraft from below
Photo: Qantas

The breach occurred at a third-party contact centre, for which Qantas has not specified the operator or location.

It’s the most significant data breach in Australia since telecommunications network operator Optus was hacked in 2022. Then, approximately 9.8 million customers had their personal data exposed, leading to tighter regulations and mandatory reporting of compliance and incidents.

Is the Qantas hack down to Scattered Spider?

Experts say that the Qantas hack has all the hallmarks of an attack by the cybercriminal group known as ‘Scattered Spider,’ sometimes also called ‘Muddled Libra’. These groups are the same actors that brought down MGM and Caesars in 2023, healthcare and insurance firms in 2024 and infiltrated Hawaiian Airlines and WestJet in 2025.

The FBI and other groups have sent out warnings over the past week that this hacking group is targeting the aviation sector, urging airlines and airports to tighten their security to avoid an incident.

But while this type of attack is in line with the modus operandi of Scattered Spider, experts say it’s too early to tell whether the group is responsible.

” While Scattered Spider has a history of targeting global organisations including those in Australia, it’s too early to tell if they’ve expanded their current targeting to Australian airline organisations,” Charles Carmakal, Mandiant Consulting chief technology officer told Computer Weekly.

Social engineering hacks on the rise

Hackers like Scattered Spider use ‘social engineering’ techniques to gain access to internal systems. This can mean impersonating employees or contractors to deceive IT desks into granting access.

They add their own telephone number, used for multi-factor authentication (MFA), to an employee account, thereby allowing them to bypass the usual controls. Once inside, they are able to steal personal details and deploy ransomware against the company.

Call centre operator
Photo: Pexels

In 2023, Scattered Spider used ‘vishing’ (voice phishing) to access MGMs internal systems via a Helpdesk. Hotel check-ins were halted, slot machines went down in Las Vegas and reservation systems were disabled. The cost to MGM was estimated at $100 million plus.

Caesars Entertainment was hit just before MGM, but paid a ransom of an estimated $15 million to stop the attack. Customer loyalty programme data was compromised, but the company chose to disclose quietly and restore operations quickly, avoiding the prolonged outages that MGM suffered.

Sign up for our newsletter and get our latest content in your inbox.

More from