By Reuters
A cyber hacker broke into a database containing the personal information of millions of customers, Qantas said, in Australia鈥檚 biggest breach in years and a setback for an airline rebuilding trust after a reputational crisis.
The hacker targeted a call centre and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers, Qantas said in a statement on Wednesday.
The airline did not specify the location of the call centre or customers whose information was compromised. It said it learnt of the breach after detecting unusual activity on the platform and acted immediately to contain it.
鈥淲e are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,鈥 Qantas said, reporting no impact on operations or safety.
Last week, the US Federal Bureau of Investigation said cybercrime group Scattered Spider was targeting airlines and that Hawaiian Airlines and Canada鈥檚 WestJet had already reported breaches.
Qantas did not name any group.
鈥淲hat makes this trend particularly alarming is its scale and coordination, with fresh reports that Qantas is the latest victim鈥 of a hack, said Mark Thomas, Australia director of security services for cyber security firm Arctic Wolf.
Qantas shutters Singapore-based Jetstar Asia on rising costs, competition
Scattered Spider hackers are known to impersonate a company鈥檚 tech staff to gain employee passwords and 鈥渋t is plausible they are executing a similar playbook鈥, Thomas said.
Charles Carmakal, chief technology officer of Alphabet-owned cybersecurity firm Mandiant, said it was too soon to say if Scattered Spider was responsible but 鈥済lobal airline organisations should be on high alert of social engineering attacks鈥.
Qantas鈥 share price was down 2.4% in afternoon trading against an overall market that was up 0.8%.
Unwelcome attention
The breach is Australia鈥檚 most high-profile since those of telecommunications network operator Optus and health insurance leader Medibank in 2022 prompted cyber resilience laws including mandatory reporting of compliance and incidents.
It brings unwelcome attention to Qantas which is trying to win public trust after actions during and after the COVID-19 pandemic saw it plunge on airline and brand league tables.
Qantas was found to have illegally sacked thousands of ground workers during the 2020 border closure while collecting government stimulus payments.
It also admitted selling thousands of tickets for already-cancelled flights.
The airline drew the ire of opposition politicians who said it lobbied the federal government in 2022 to refuse a request from Qatar Airways to sell more flights.
Qantas denied pressuring the government which eventually refused the request – a move the consumer regulator said hurt price competition.
Qantas CEO Vanessa Hudson has improved the airline鈥檚 public standing since taking office in 2023, reputation measures showed.
鈥淲e recognise the uncertainty this will cause,鈥 Hudson said of the data breach.
鈥淥ur customers trust us with their personal information and we take that responsibility seriously.鈥
Qantas said it notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and the Australian Federal Police.
ACSC declined to comment and AFP said only that it was aware of the incident.
The OAIC was not immediately available for comment.
The airline said the hacker did not access frequent flyer accounts or customer passwords, PIN numbers or log in details.