Qantas has suffered a major cyber-attack, potentially exposing the records of up to 6 million customers.
The airline said on Wednesday that the affected system had now been contained and its systems were secured. The system in question was a third-party platform used by the airline’s contact centre, which contains the records of 6 million customers.
The data includes customer names, email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details.
Frequent flyer accounts were not compromised, neither were passwords, pins or login details.
Qantas said it first detected the unusual activity on Monday and immediately took steps to contain the system.
Qantas is assessing the portion of data stolen but said it was expected to be “significant”.
The identity of the attacker is not yet known but is believed to bear similarities to the tactics of the so-called Scattered Spider ransomware group that had been targeting airlines and retail stores in the US and UK.
The Guardian reported in May that Scattered Spider is unusual among hacking groups deploying ransomware because it is composed of native English speakers from countries such as the UK, US and Canada.
The FBI last week warned airlines in the US that the group was targeting the aviation sector. In a post on X, the FBI said the group uses social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication.
“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said.
They then steal sensitive data for extortion and often deploy ransomware that locks up company systems.
Qantas said it has informed the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, as well as the Australian federal police.
The airline’s chief executive, Vanessa Hudson, said the company had recruited independent specialised cybersecurity experts to investigate the matter.
How the wealthy are buying up land to avoid inheritance tax
A dedicated customer support line and a dedicated page on the company’s website will update customers as the investigation progresses.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” Ms Hudson said. “Our customers trust us with their personal information and we take that responsibility seriously.
“We are contacting our customers today and our focus is on providing them with the necessary support.”
Cyber-attacks remain on the increase in Australia, after superannuation funds in April suffered hacks on a small handful of customers that resulted in more than $500,000 being taken from their accounts.
In May, the Office of the Australian Information Commissioner said the number of data breaches reported under the mandatory notification scheme had increased by 25 per cent in 2024, compared with 2023.
According to the report covering July 1st to December 31st 2024, there were 595 data breaches in the latter half of the year, taking the total number of breaches reported that year to 1,113, up 25 per cent from 893 in 2023.
In the half year, the highest number of reports came from health providers (121) followed by government (100), finance (54), legal and accounting (36), and retail (34).
The report found 69 per cent of the data breaches occurred due to malicious or criminal attack, with phishing – that is, using compromised credentials to access data – being the most common at 34 per cent of such incidents. It was followed by ransomware at 24 per cent.
The majority of reported breaches affected fewer than 5,000 people each but two were reported to affect between 500,000 and 1 million people. Most personal information in the breaches comprised contact information, ID information or financial or health information. - Guardian
