Australia’s largest airline Qantas has confirmed that the recent data breach impacted 5.7 million individuals.
Early this month, Australian airline Qantas disclosed a cyberattack after hackers accessed a third-party platform used by a call centre, stealing significant customer data. The breach, linked to ongoing Scattered Spider activity, was detected and contained on Monday. Qantas confirmed that while the system is now secure, a substantial amount of data was likely compromised during the incident.
“Qantas can confirm that a cyber incident has occurred in one of its contact centres impacting customer data. The system is now contained.” reads the statement published by the company. “We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available. The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform.”
Australia’s largest airline detected unusual activity on a third-party platform used by its contact centre and quickly contained it. The company highlights that while core systems remain secure, data from up to 6 million customer service records may have been stolen, including names, emails, phone numbers, birth dates, and frequent flyer numbers. No financial data, passport details, passwords, or login credentials were compromised.
Qantas confirmed that hackers stole data of approximately 5.7 million customers and have begun extortion attempts to prevent its release.
“A potential cyber criminal has made contact, and we are currently working to validate this,” reads the company’s updated statement. “As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the details of the contact.”
In a new update provided by the company, Qantas’ investigation confirms that 5.7M unique customers were affected in the data breach. No credit card, financial, or passport info was accessed, and Frequent Flyer accounts remain secure.
The analysis of customers’ personal data has found (all numbers are approximate):
- 4 million customer records are limited to name, email address and Qantas Frequent Flyer details. Of this:
- 1.2 million customer records contained name and email address.
- 2.8 million customer records contained name, email address and Qantas Frequent Flyer number. The majority of these also had tier included. A smaller subset of these had points balance and status credits included.
- Of the remaining 1.7 million customers, their records included a combination of some of the data fields above and one or more of the following:
- Address – 1.3 million. This is a combination of residential addresses and business addresses including hotels for misplaced baggage delivery.
- Date of birth – 1.1 million
- Phone number (mobile, landline and/or business) – 900,000
- Gender – 400,000. This is separate to other gender identifiers like name and salutation.
- Meal preferences – 10,000
Customer records are based on unique email addresses and customers with multiple email addresses may have multiple accounts.
Qantas is now contacting affected customers to inform them of the specific data compromised and provide support. CEO Vanessa Hudson emphasized their focus on transparency and customer support.
“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible.” said Hudson.
“From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.”
The airline has implemented additional cybersecurity measures and is continuing its review. Customers are advised to watch for phishing emails pretending to be from Qantas.
The airline has notified the Australian Cyber Security Centre, the Privacy Commissioner, and the Federal Police due to the criminal nature of the breach.
At the end of June, the FBI reports that the cybercrime group Scattered Spider is now targeting the airline sector.
The cybercriminals are using social engineering techniques to gain access to target organizations by impersonating employees or contractors. In many cases, threat actors employed methods to bypass multi-factor authentication (MFA), by tricking victims’ help desk services to add unauthorized MFA devices to compromised accounts.
“These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access. These techniques frequently involve methods to bypass multi-factor authentication (MFA), such as convincing help desk services to add unauthorized MFA devices to compromised accounts.” reads the alert published by the FBI on X. “They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
Scattered Spider is targeting large corporations and their third-party IT providers; every organization in the airline sector is a potential target, including trusted vendors and contractors.
Scattered Spider steals data for extortion and often launches ransomware once inside. The FBI partners with the aviation industry to stop attacks and help victims. FBI recommends that quickly reporting helps the FBI act fast, share intel, and limit damage.
“Once inside, Scattered Spider actors steal sensitive data for extortion and often deploy ransomware. The FBI is actively working with aviation and industry partners to address this activity and assist victims.” continues the alert. “Early reporting allows the FBI to engage promptly, share intelligence across the industry, and prevent further compromise.”
Recently, Unit 42 also warned that Muddled Libra is targeting aviation with advanced social engineering and fake MFA reset attempts.
“Unit 42 has observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry. Organizations should be on high alert for sophisticated and targeted social engineering attacks and suspicious MFA reset requests.” Palo Alto Networks Unit 42’s Sam Rubin wrote on LinkedIn.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Qantas)
