Qantas has confirmed that personal data from 5.7 million customers was compromised after attackers hit a third-party system used by one of its call centers. The breach happened on June 30 and fortunately, didn’t affect any Qantas flight operations or core systems. Still, the exposed data could open the door to phishing and other social engineering attacks.
On July 7, the attacker made contact; likely in an attempt to extort the company. While Qantas didn’t name names, the tactics line up with campaigns seen from a well-known threat group: Scattered Spider.
What Was Accessed
Qantas says no passwords, credit cards, or passport details were taken, but there’s still a lot of customer data in the mix:
- 4 million records included names, emails, and Frequent Flyer info.
- 1.2 million were solely names and emails.
- 2.8 million included Frequent Flyer numbers inclusive of point balances and tier status.
- 1.7 million records had extra personal details:
- Addresses (1.3 million)
- Dates of birth (1.1 million)
- Phone numbers (900,000)
- Gender (400,000)
- Meal preferences (10,000)
That might not sound like much, but attackers love this kind of data. It’s enough to create highly convincing phishing scams or even build synthetic identities.
➝ Quick Tip: If you store any personal data—especially things like names, emails, and birthdays—treat it like gold. Run regular audits to monitor who has access to it, especially across third-party vendors and call center platforms.
A Vendor Weak Spot
The attack didn’t come through Qantas’ own network—it came through a third-party system used to support its contact center. This is becoming a trend across industries: attackers are hitting vendors and supply chain partners to get around strong internal defenses.
Qantas has started contacting affected customers and says there’s no current sign the data has been leaked. But with an extortion attempt in play, the risk isn’t over.
➝ Quick Tip: It’s not enough to lock down your own network. Third-party platforms that handle customer info—like contact centers, chatbots, or payment processors—need security reviews and testing too. Penetration testing and gap assessments will help uncover hidden exposure points and lack of third-party controls.
Familiar Threat Actors: Scattered Spider Suspected
While Qantas hasn’t officially confirmed who’s behind the attack, the indicators point to Scattered Spider, a threat group known for targeting the aviation and retail sectors. They specialize in social engineering, SIM swapping, and phishing support staff to get into internal systems.
Scattered Spider has also been connected to ransomware deployment in other industries, sometimes using tools like DragonForce to encrypt and lock systems after stealing data. Luckily, 4 suspects potentially connected to the cybercrime group have been arrested in the UK for their involvement in other attacks against major British retailers.
➝ Quick Tip: Don’t just look for malware, watch for strange account behavior or login patterns. Threat groups like Scattered Spider rely on credential theft and social engineering, so behavioral monitoring and anomaly detection are key. A well-managed SIEM can help spot signs before the damage spreads.
Not Just “Low-Risk” Data
Qantas was quick to point out that sensitive info like financial details and passwords weren’t part of this breach. That is good news but it doesn’t mean the risk is low. The kind of Personably Identifiable Information (PII) that was taken (names, addresses, dates of birth, and more) can still be used in highly targeted phishing attacks.
Even something like a meal preference, when combined with other personal details, can make a scam email look a lot more convincing.
➝ Quick Tip: If you’re collecting customer data—especially across different touchpoints—make sure you’re reviewing it regularly and stripping out unnecessary fields. And if you haven’t tested your employees with a phishing simulation recently, now’s a good time. Together, social engineering and awareness training create a solid defense against human-focused attacks.
Final Thoughts
The Qantas breach shows how attackers don’t always need to hack your primary environment to cause major damage. A third-party vendor, combined with the right data and a bit of social engineering, can create a serious threat to your customers and your brand.
It’s not just about keeping your systems secure. It’s about knowing who else touches your data and validating that those connections are safe. your environment is secure against these evolving threats.
