Qantas Confirms Massive Data Breach, Investigates Exposure of Six Million Customer Records
SYDNEY — Qantas has confirmed a major data breach affecting the personal information of up to six million customers, following unauthorized access to a third-party service used by the airline’s contact center.
The breach was detected on June 30, when the airline observed abnormal activity within the external platform. The system stores names, phone numbers, email addresses, birth dates, and frequent flyer numbers. The airline stated that no passwords, credit card details, passport information, or PINs were stored on the compromised system.
In an official statement, Qantas said, “Immediate steps were taken to contain the system,” and investigations are ongoing to determine the full scope of the breach. While the total number of affected users has not been confirmed, the airline expects the amount of exposed data to be significant.
Qantas Group CEO Vanessa Hudson issued a public apology. “We sincerely apologize to our customers and recognize the uncertainty this will cause,” she said. Hudson encouraged concerned individuals to contact a dedicated support line and confirmed that airline safety and operations remain unaffected.
The company has alerted the Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner. These agencies are now coordinating with Qantas to assess the breach and implement next steps.
The incident coincides with a warning from the FBI, issued via X (formerly Twitter), identifying airlines as active targets for a cyber criminal group known as Scattered Spider. The group has been linked to recent attacks on Hawaiian Airlines and Canada’s WestJet. It has also been named in investigations into recent cyber incidents targeting British retailers, including Marks & Spencer.
This breach adds to a growing list of cyberattacks targeting Australian firms in 2025. In recent months, AustralianSuper and Nine Media also confirmed significant data leaks. The Office of the Australian Information Commissioner reported in March that 2024 marked the highest number of recorded data breaches since national tracking began in 2018.
Australian Privacy Commissioner Carly Kind stated, “The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish.” She urged both public and private institutions to enhance their cybersecurity defenses.
Qantas has not confirmed how attackers accessed the system or whether Scattered Spider was involved. The airline continues to work with cybersecurity experts to track the origin of the breach and limit any further risk to users.
