‘Significant’ amount of customer data accessed during cyberattack on Qantas airline

Australian airline Qantas warned customers on Wednesday that a cyber incident exposed customer data. 

The company posted a notice on its website and sent emails to customers explaining that hackers breached a Qantas contact center containing 6 million customer service records. 

The proportion of data stolen is expected to be “significant,” Qantas said, noting that it includes customer names, emails, phone numbers, frequent flyer numbers and birth dates. The affected system does not hold financial information or passport details, the airline said.

“The incident occurred when a cyber criminal targeted a call center and gained access to a third party customer servicing platform. There is no impact to Qantas’ operations or the safety of the airline,” the company said.

The attack comes amid increased concern from law enforcement about cyberattacks targeting the airline industry. On Friday, the FBI said it recently observed the cybercriminal group Scattered Spider achieving access into unspecified company systems by “impersonating employees or contractors to deceive IT help desks into granting access.” 

Qanta said it first detected the incident on Monday after unusual activity was found on a third-party platform used by a contact center. The investigation is continuing, but the airline said the attack appears to be “contained.”

Qantas Group CEO Vanessa Hudson said the company notified the Australian Cyber Security Centre, the Australian Federal Police and the Office of the Australian Information Commissioner about the attack. A support line was created for customers with questions. 

In an apology letter sent to customers and shared on social media, Hudson reiterated the same information and pledged to reach out again to anyone whose data is stolen. 

Qantas is one of the oldest airlines in the world and is the only airline to make stops on all seven continents. It reported $1.39 billion in profit from the second half of 2024. 

A wary industry

The FBI said it is actively working with the aviation industry to help victims.

Scattered Spider’s techniques “often involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts,” the bureau said. 

“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk. Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware.”

Charles Carmakal, CTO at cybersecurity firm Mandiant, and experts from Palo Alto Networks backed the bureau’s assessment, with both companies saying they are “aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider.”

The warnings emerged after Hawaiian Airlines and WestJet were allegedly attacked by Scattered Spider last week. 

Sam Rubin, senior vice president of threat intelligence at Palo Alto Networks' Unit 42, told Recorded Future News that Scattered Spider recently migrated toward pure social engineering-based tactics, using their English-speaking skills to fool company employees. 

Rubin said his team has responded to multiple Scattered Spider attacks during campaigns against the retail and insurance industries. 

The group, according to Rubin, is more like a collective than a single entity — focusing intensely on certain industries at a time. It is loosely affiliated with the larger cybercriminal community known as The Com.

He noted that Palo Alto Networks has seen Scattered Spider work with multiple ransomware-as-a-service providers, including AlphV and more recently DragonForce.

The group does not always deploy ransomware, he said, explaining that members have learned to cause disruption “via multiple avenues through damage to virtual infrastructure and cloud assets, or even as collateral damage by responders working to isolate the attacker.”

Victim companies often report operational issues because they have to segment and shut down parts of their network in an effort to limit the ability of bad actors to encrypt files. 

“This approach is highly recommended by incident responders because it's one of the most effective ways to contain the damage. It’s a triage move — like applying a tourniquet — to contain the damage and stop the threat from spreading,” Rubin said. 

Every successful attack against an organization “gives them insight into that organization’s industry which then enables more effective and efficient follow on attacks against other victims in the same vertical.”

There is some evidence from certain attacks that shows members of Scattered Spider have specialized knowledge or insider experience within certain industries. 

“It’s coordinated, calculated, and consistent with their reputation for high-impact business disruption,” he told Recorded Future News.

“Targeting the airline industry ahead of the busy Fourth of July holiday — when millions of travelers are on the move — underscores just how opportunistic and disruptive this group aims to be.”