Executive Summary

On June 30, 2025, Qantas Airways, Australia’s flagship airline, identified a significant data breach involving a third-party customer service platform. The breach potentially exposed the personal data of up to six million individuals. While operational impacts were avoided and sensitive financial information remains secure, Qantas has acknowledged that the scale of the breach is likely to be substantial.

Incident Overview

Qantas detected “unusual activity” within a third-party platform used by its contact centre. Upon discovery, the airline acted swiftly, taking containment measures to prevent further unauthorized access. The compromised system stored sensitive personal information including:

• Full names

• Email addresses

• Phone numbers

• Dates of birth

• Frequent flyer numbers

Fortunately, the breach did not involve the compromise of passport data, credit card information, or any credentials like passwords or PINs related to frequent flyer accounts.

Scope and Impact

The breach has affected up to six million individuals. While the complete extent of the data accessed is still under investigation, Qantas expects the amount of data stolen to be significant.

There is no operational disruption reported for Qantas, and flight safety remains uncompromised.

Response Actions

Qantas has taken the following actions in response to the incident:

• Immediate system isolation and containment measures.

• Notified relevant authorities, including:

  • Australian Federal Police

  • Australian Cyber Security Centre (ACSC)

  • Office of the Australian Information Commissioner (OAIC)

• Launched a dedicated customer support line for affected individuals.

• Initiated an internal investigation to understand the breach's scope and origin.

Qantas Group CEO Vanessa Hudson issued a public apology and acknowledged the uncertainty caused by the breach.

Threat Actor Attribution

Although no specific group has claimed responsibility for this attack, the timing coincides with a broader FBI warning regarding cyber threats targeting the airline industry, particularly from the group known as Scattered Spider. This group has recently been linked to cyber attacks against other airlines such as Hawaiian Airlines and Canada’s WestJet, as well as major UK retailers.

Broader Context

The Qantas breach is part of a rising trend of high-profile cyber incidents in Australia. Other recent victims include:

• AustralianSuper

• Nine Media

According to the OAIC, 2024 was the worst year on record for data breaches in Australia. The Australian Privacy Commissioner, Carly Kind, emphasized the need for enhanced cybersecurity frameworks and warned that both private and public sectors remain highly vulnerable.

ClearPhish Insights

This breach reinforces key trends observed in 2025:

• Third-party vendors remain a critical weak point in corporate cybersecurity.

• Airline and transportation sectors are high-value targets due to the volume and sensitivity of customer data.

• Organizations must adopt zero trust principles, including access control, real-time monitoring, and third-party risk management.

ClearPhish recommends enterprises conduct thorough audits of all external platforms and vendors handling sensitive data, and to have a robust incident response plan in place.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.