tashka2000 - Fotolia

Qantas customer data exposed in contact centre breach

Australian flag carrier is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised

Qantas is notifying millions of customers that their personal information has been compromised following a cyber attack on a third-party platform used by one of its contact centres.

The airline said it had detected unusual activity earlier this week and immediately contained the system, but not before a cyber criminal gained access and stole a “significant” amount of data.

The compromised platform holds service records for six million customers. An initial review has confirmed the stolen data includes customer names, email addresses, phone numbers, dates of birth and frequent flyer numbers.

Qantas was quick to reassure customers that its core systems remain secure and that more sensitive information was not exposed. Credit card details, personal financial information and passport details were not held in the affected system. The airline also confirmed that no frequent flyer accounts were compromised, and that passwords or login details were not accessed.

Even without direct financial data, the kind of personally identifiable information stolen in such breaches is highly valuable on the dark web.

The stolen data can be used for sophisticated phishing and social engineering attacks. Criminals can use the combination of a name, phone number and frequent flyer number to craft highly convincing scams targeting these customers directly, aiming to extract more valuable credentials or financial details down the line.

Kash Sharma, managing director for Australia and New Zealand at cyber security firm BlueVoyant, said that while specific details about how the attack occurred remain unclear, it reflects a broader regional trend: organisations are becoming increasingly vulnerable due to the size and complexity of their digital ecosystems, especially those involving third-party suppliers and service providers.

“The incident that impacts our national airline reinforces the urgent need for all Australian organisations to strengthen cyber resilience beyond their immediate IT environments. That means prioritising supply chain security, embedding clear responsibilities with vendors, and adopting recognised standards like ISO27001,” he added.

Sharma noted that the $6.4m investment by the federal government into sector-wide threat-sharing is a good step, but sustained, coordinated action is essential. “Protecting customer data and system integrity in the digital era must be viewed as a strategic imperative – not just for IT teams, but across executive leadership and government,” he said.

In response to the breach, Qantas has notified the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC) and the Australian Federal Police (AFP).

Qantas Group CEO Vanessa Hudson issued an apology to affected customers. “We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously,” Hudson said in a statement.

“We are contacting our customers today and our focus is on providing them with the necessary support. We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”

While the investigation continues, Qantas said it is implementing additional security measures to further restrict access and strengthen system monitoring and detection on its third-party platforms.

Qantas has established a dedicated customer support line and a webpage to provide updates. The airline said there is no impact on flight operations or safety, and customers with upcoming travel do not need to take any action.

Read more about cyber security in Australia

Read more on Data breach incident management and recovery