SYDNEY: Qantas Airways has revealed that a cyberattack originating from a Manila-based third-party call centre affected approximately 5.7 million customers. The stolen data includes passenger names, email addresses, frequent flyer numbers, and, in some cases, more sensitive information such as mailing addresses, phone numbers, dates of birth, gender details, and even meal preferences, affecting 10,000 travellers in the latter category.
Crucially, the airline confirmed no credit card numbers, financial data, passport details, passwords, or frequent flyer account credentials were compromised. The breach stemmed from a “vishing” attack—voice phishing—on the outsourced service, allowing attackers to impersonate legitimate staff and extract employee access rights to the system.
Qantas Reinforces Security, Warns Customers of Phishing Risks
Qantas CEO Vanessa Hudson stated the airline is proactively contacting each affected customer with specifics about the data that was stolen and offering guidance on protective measures. The airline also activated a dedicated 24/7 support line and implemented stronger cybersecurity safeguards, in cooperation with the Australian Federal Police and the Australian Cyber Security Centre.
Security experts warn that even partial personal data—like birthdates and addresses—can be leveraged in targeted phishing attacks or password resets. The hacker collective known as Scattered Spider, behind similar breaches at carriers like Hawaiian Airlines and WestJet, is suspected. Authorities are closely monitoring dark web activity for signs of the data being sold or exploited.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
At-Risk Users and Security Measures
The Hidden Dangers of Meal Preferences
While seemingly innocuous, meal preference data can be used to craft convincing phishing messages—such as fake food voucher offers tailored to specific allergies or dietary needs—boosting the credibility of malicious emails or SMS.
What Travellers Should Do Now
-
Be alert for suspicious calls or texts posing as Qantas.
-
Avoid clicking on links in unexpected messages.
-
Enable MFA on travel and loyalty accounts—preferably via authentication apps.
-
Consider updating frequently used passwords, especially if based on personal data.
Qantas assures passengers that its main systems and safety operations were unharmed, and core Frequent Flyer credentials remain secure. Still, this breach underscores critical vulnerabilities in airline technology, particularly through third-party systems and human-centric attack vectors.
About the Author – Sahhil Taware is a B.Sc. LL.B. (Hons.) student at National Forensic Sciences University, Gandhinagar, with a keen interest in corporate law and tech-driven legal change.