Australian airline Qantas has experienced a major cyber-attack that it said breached a third-party system containing the records of some 6 million customers, in an incident that may be linked to the hacking group that carried out attacks on Marks & Spencer and other UK retailers.
The airline said the attack had been contained and its systems were secured.
The system targeted was a third-party platform used by the airline’s customer contact centre.
Stolen data
It holds customer data including names, email addresses, phone numbers, birth dates and frequent flyer numbers, but no payment card details, financial information or passport details, Qantas said.
No frequent flyer accounts, passwords, PINs or other login details were compromised, according to the airline.
Qantas said it noticed “unusual activity” on Monday and immediately took steps to contain the system.
It said in a statement that cybercriminals has “targeted a call centre and gained access to a third-party customer servicing platform”.
Qantas is still investigating the extent of the breach but said it expects the proportion of data stolen to be “significant”.
It has notified the Australian Federal Police, the Australian Cyber Security Centre and the Office of the Australian Information Commissioner.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” said Qantas Group chief executive Vanessa Hudson.
She told customers to contact Qantas if they have concerns and said the incident would not affect the airline’s operations or safety.
The breach came days after US authorities warned that the hacking group Scattered Spider was targeting the airline sector.
Scattered Spider
The US’ Hawaiian Airlines and Canada’s WestJet were both affected by comparable cyberattacks in recent weeks.
Silicon UK reported in May that authorities believed the same group could be behind attacks on retailers in the UK including the Co-op and Marks & Spencer.
It is known to use social-engineering methods in which attackers pose as staff to deceive internal IT help desks to gain access to accounts and bypass two-factor authentication, the FBI said last week.
“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said in its alert.
Scattered Spider’s attacks date back to disruptive incidents that affected Las Vegas casinos in 2023 and companies in the financial sector in 2024.
Scattered Spider typically works with other hacking groups to help exploit security vulnerabilities and usually steals data to be used to extort payments from targets, as well as deploying ransomware to lock companies out of their systems.