Just days after the FBI warned airlines about a surge in 2FA bypass attacks by the hacker group Scattered Spider, Australian airline Qantas has confirmed a major cybersecurity incident. The breach, which targeted a third-party platform used for customer service, has potentially exposed personal data—including names, emails, birth dates, and frequent flyer details—of up to six million customers.
The attack exploited social engineering tactics, a signature method of Scattered Spider, where attackers impersonate staff to deceive IT help desks into granting unauthorized access. Brett Winterford of Okta described the group as a loosely organized, profit-driven collective that thrives on peer recognition and repeated attacks across successful sectors.
In a July 4 statement, Qantas Group CEO Vanessa Hudson assured that no credit card, passport, or financial data was compromised, and Qantas’ core systems remain secure.
The airline said it contained the breach on July 1 and is working with cybersecurity experts to complete a forensic investigation. Affected customers began receiving email notifications from July 3, with further updates promised on the exact data exposed. Hudson emphasized the company’s commitment to transparency and robust response efforts, saying, “We are treating this incredibly seriously and have implemented additional security measures.”
Cybersecurity professionals, including ex-FBI agent Adam Marrè and OPSWAT's James Neilson, stressed the need for heightened vigilance in the aviation sector, especially during peak travel periods. Marrè urged organizations to strengthen supply chain defenses and advised consumers to verify all communications from airlines.
Graylog’s Ross Brewer, a Qantas customer himself, noted that clear and precise communication from the airline is critical to avoiding unnecessary panic and maintaining public trust.
With airlines holding vast stores of sensitive data, experts warn the industry is an increasingly attractive target for cybercriminals. The Qantas breach reinforces the FBI’s call for all sectors to evaluate their cybersecurity hygiene and response strategies without delay.
