Attack on airline Qantas sees 6 million customer records breached

Cyberattack comes a day after an FBI warning about Scattered Spider hackers targeting airlines

The personal details of 6 million customers have been breached in an attack on Australian airline Qantas.

The leaked data includes email addresses, phone numbers, dates of birth and frequent flyer numbers. The airline has advised that no sensitive information such as credit card details, passport numbers and financial data was stolen. Such data was not stored on the breached system, reducing the risk of direct financial fraud.

In a post on its website, Qantas says a platform used by an airline contact centre was attacked. The unnamed system holds records 6 million customer records, and the airline presumes that a “significant” amount of that data could have been stolen.

Qantas says it took immediate action to contain the attack and that all systems are now secure. Flight operations and safety were not affected, the airline said, adding that it has reported the incident to Australia’s data protection regulator, cybersecurity agency and police.

In a statement, group CEO Vanessa Hudson said the company is contacting customers with a focus on providing necessary support.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously,” Hudson said.

The identity of the attackers has not been disclosed.

The attack on Qantas comes a day after the FBI advised that Scattered Spider, the loosely affiliated group of hackers responsible for attacks on retailers including M&S and the Co-op, is turning its attention to airlines.

In a post on X, the agency warned that the group is currently targeting airline IT systems by impersonating employees and contractors to manipulate help desk staff.

Social engineering attacks on supply chain partners is a preferred method of threat actors who exploit weak points in the ecosystem rather than attempting a direct attack on the target. This presents a major challenge to organisations with extensive supply chains.

“The aviation industry is heavily reliant on third-party providers for operations such as customer service and, as a result, remains a key target for cybercriminals seeking to compromise major airlines and access sensitive information, said James Neilson, SVP international at critical infrastructure cybersecurity specialist OPSWAT.

“When integrating third parties into business operations, minimum security standards must be established, and third-party activities should be audited and actively monitored.”

Sam Kirkman, director of services EMEA at security firm NetSPI, said: “Service providers must not only deliver results, but they must also do so securely. Yet, in practice, assessing the true security posture of suppliers remains one of the toughest challenges in cybersecurity.”

While the involvement of Scattered Spider has not been verified, Jake Moore, global cybersecurity advisor at ESET, commented that attackers often home in on a particular sector, developing their skills and applying them to the next target, as was the case with retailers. “The airline industry is currently being preyed upon by criminal hackers using clever social engineering techniques, often verbally impersonating employees or contractors to deceive others to hand over credentials. These simple, yet creative, tactics can have a devastating impact on a business and can rapidly dent trust in public confidence.”

As with all cyber breaches, those affected should be extra vigilant against scamming and spoofing attacks using their stolen credentials.