Qantas confirmed a cyberattack affecting a third-party platform used by its customer service operations, which exposed the personal information of millions of customers. The incident, discovered and contained on Monday, did not compromise the airline’s core IT systems or its own environment. Instead, the breach targeted an external system operated by a vendor supporting customer interactions.
The airline reported that the exposed data included frequent flyer member details such as names, dates of birth, email addresses, and tier statuses. While Qantas acknowledged the large volume of affected records, it clarified that no sensitive credentials, passwords, financial data, or travel history had been compromised. The breach came to light following irregular system activity, prompting an internal investigation and coordinated response with third-party cybersecurity specialists. In an email to customers, Qantas stated,
“On Monday, we detected unusual activity on a third-party platform used by one of our airline contact centres. We immediately contained the incident and can confirm all Qantas systems remain secure.
Our initial investigations show the compromised data includes some customers’ names, email addresses, dates of birth and Frequent Flyer numbers. Importantly, no credit card details, personal financial information and passport details are held in the system that was accessed. No Frequent Flyer accounts, passwords, PIN numbers or log in details have been compromised.”
Qantas CEO, Vanessa Hudson, further went on record stating,
“I wanted to update you on a cyber incident that occurred in one of our contact centres impacting customer data. The system is now contained. For those customers whose information has been potentially compromised you will receive further communication from us shortly.
To all our customers, I would like to sincerely apologise that this has occurred.
There is no impact to Qantas’ operations or the safety of our airline. However, we understand that when personal information is at risk, it can affect peace of mind, so we wanted to update all of our customers on what occurred and what we are doing.”
In parallel with containment efforts, Qantas notified relevant government and regulatory bodies, including the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. The company also committed to ongoing communication with customers and reinforced that additional controls were already in place to protect critical systems and flight safety operations.
This breach follows a pattern of cyberattacks targeting the aviation sector in recent months. On the same day, the U.S.-based ALPHV/BlackCat ransomware group claimed responsibility for attacking another airline, stating that they stole customer data, photos, emails, and internal documents. Although no direct connection between these events has been confirmed, industry observers have highlighted increased targeting of aviation-related entities by sophisticated threat actors.
Security researchers attribute many of these aviation breaches to the Scattered Spider threat group, also known as UNC3944, Octo Tempest, or 0ktapus. Known for its advanced social engineering capabilities and proficiency in compromising identity systems, Scattered Spider has gained notoriety for breaching help desks, executing SIM swaps, and exploiting multi-factor authentication workflows to gain initial access. The group has targeted high-profile organizations across sectors, often aligning itself with ransomware operations, including BlackCat, RansomHub, and Qilin.
The U.S. government and cybersecurity firms have issued multiple advisories about Scattered Spider’s techniques, which combine phishing, credential theft, and real-time interaction with support personnel to bypass security controls. Their ability to adapt and operate with insider-level knowledge has made them one of the most disruptive cybercriminal groups currently active.
Scattered Spider’s Aim to Fly High
On June 12, WestJet, Canada’s second-largest airline, experienced a cyberattack that temporarily disrupted its internal services and mobile application. The incident immediately triggered an incident response effort that included cybersecurity experts from Palo Alto Networks and Microsoft, according to sources close to the matter. Although WestJet has not officially confirmed the threat actor behind the attack, multiple sources attributed the intrusion to the well-known threat group Scattered Spider.
Scattered Spider allegedly breached WestJet’s data centers and its Microsoft Cloud environment. According to reports, the attackers gained initial access through a self-service password reset performed on an employee account. This tactic enabled the adversary to register a new multi-factor authentication (MFA) device and subsequently gain remote access to WestJet’s network via Citrix. This method aligns with Scattered Spider’s typical modus operandi, which involves targeting help desks and identity infrastructure to bypass authentication controls.
The threat actor’s consistent use of social engineering, identity manipulation, and MFA hijacking has distinguished them within the threat landscape. While many groups deploy similar tactics, Scattered Spider has become closely associated with these methods due to their operational consistency and focus on high-value sectors. Their recent pivot toward aviation and transportation signals an evolution in their targeting strategy, reflecting broader trends in adversary behavior and sector-specific risk.
On the same day as the WestJet incident, Hawaiian Airlines disclosed that it had also suffered a cyberattack. While the airline did not provide technical details or attribution, a source informed the press that the attacker is presumed to be Scattered Spider. The close timing and similar modus operandi suggest a coordinated campaign aimed at North American aviation entities.
At roughly the same time, American Airlines is currently experiencing an IT outage. While the nature of this disruption remains unclear, BleepingComputer has reached out to the airline for clarification. At the time of writing, the company has not responded, and it remains uncertain whether the outage is linked to a broader campaign.
Taken together, these incidents mark a clear escalation in targeted cyber threats against the aviation sector. Scattered Spider’s sustained use of identity-centric intrusions and its tactical shift toward transportation-related infrastructure present a growing risk for airlines. Cybersecurity teams across the industry must adapt quickly, reinforcing identity management practices, increasing monitoring of user behavior, and preparing for advanced social engineering threats that now define the threat actor’s playbook.
Lessons to be Learnt
Qantas’s disclosure underscores the persistent risks associated with third-party vendors and the necessity for comprehensive vendor risk management programs. As threat actors continue to shift focus from direct network breaches to peripheral systems and trusted partners, organizations in the aviation and transportation sectors must bolster visibility, detection, and containment capabilities across their extended IT ecosystems.
This incident also highlights the importance of identity-centric security and resilience against social engineering tactics. With customer service platforms and support desks emerging as key entry points for attackers, organizations must strengthen authentication processes, monitor for anomalous behavior, and continuously train personnel against impersonation-based exploits.
As Qantas works to restore confidence and support affected users, the broader aviation industry faces renewed pressure to evolve its cybersecurity posture in the face of increasingly persistent and capable adversaries. It needs to be stressed and commended, Qantas’ fast response and disclosure should be regarded as the gold standard for other organization’s to follow.
