Qantas confirms data breach affecting millions as FBI warns airline sector is key cybercrime target

Qantas is facing a cybersecurity nightmare after confirming a data breach that may have compromised the personal details of up to six million customers, in what experts fear is part of a broader airline sector onslaught by the cybercrime gang Scattered Spider.

The Australian flag carrier said it detected “unusual activity” on 30 June in a third-party customer platform used by its call centres. The breach exposed sensitive personal information — including names, phone numbers, email addresses, dates of birth, and frequent flyer numbers — though Qantas insists that no passwords, PINs, credit card details, or passport numbers were leaked.

In a statement released Tuesday, Qantas said it took “immediate steps and contained the system” once the breach was identified. But the airline admitted that the number of affected profiles is likely to be “significant.”

CEO Vanessa Hudson publicly apologised: “We sincerely regret the uncertainty this causes. We are treating this with the utmost urgency.” She confirmed the airline’s operations and flight safety were unaffected.

The breach has been reported to the Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner (OAIC). A dedicated hotline has been set up for concerned passengers.

This alarming incident comes just days after the FBI issued an alert naming the airline sector as a top target of the cybercriminal collective Scattered Spider. In recent weeks, Hawaiian Airlines and Canada’s WestJet were also hit by similar attacks. The BBC has previously linked the same group to high-profile UK breaches involving retailers like M&S.

While the attackers behind the Qantas breach have not been officially identified, the timing and methods bear striking similarities to Scattered Spider’s known operations — infiltrating third-party service platforms and harvesting mass customer datasets.

Australia has seen a surge in data breaches in 2025. In the past few months alone, retirement fund giant AustralianSuper and media conglomerate Nine Media suffered major leaks. In March, the OAIC reported 2024 as the worst year for data breaches since national records began in 2018.

Australian Privacy Commissioner Carly Kind warned the crisis is escalating. “The trends we are observing suggest the threat of data breaches, especially through malicious actors, is unlikely to diminish,” she said.

Kind urged companies and government agencies to overhaul digital defences, citing the increasing frequency and sophistication of attacks targeting both public and private sectors.

Despite Qantas’s reassurances that critical financial and security information remains protected, privacy experts say the damage is already significant. “Frequent flyer numbers can be combined with other personal data to phish or impersonate customers,” said Dr. Sean Doran, a cybersecurity analyst. “It’s a gateway breach — one that opens doors to deeper fraud.”

With air travel returning to pre-pandemic levels, airlines are under growing pressure to secure sprawling global databases. The breach also raises uncomfortable questions about Qantas’s reliance on third-party platforms and its broader cybersecurity architecture.

As authorities begin a forensic investigation, customers are being advised to monitor emails, watch for suspicious activity, and remain alert to possible phishing attempts.

In a year already marked by escalating digital insecurity, the Qantas breach is yet another wake-up call — not just for the airline, but for an entire industry under siege