Australian airline Qantas said it was investigating a “serious” cyberattack that resulted in the leak of sensitive personal data of about six million of its customers. As it became known on Wednesday, hackers managed to penetrate a system managed by a third-party partner of the company and which includes customer service data.
Names, emails, and dates of birth in the hands of hackers
Qantas confirmed that cybercriminals gained access to information such as names, email addresses, phone number,s and dates of birth. Although the company assured that no credit card details or passport numbers were stored on the system in question, it admitted that the volume of data stolen is expected to be “significant”.
“We are continuing to investigate the exact extent of the breach, but initial indications are that this is a significant breach,” Qantas said in a statement.
No impact on flights – Concerns about identity theft
The airline stressed that the operation of its flights and the security of its fleet were not affected by the attack. However, experts are sounding the alarm about the potential consequences for customers.
University of Adelaide cybersecurity professor Christopher Bronk warned that the data that was stolen could be used for fraud and identity theft. He noted that such information is often sold on the dark web and used to create fake accounts or loans in the names of unsuspecting citizens.
New episode in a long list of cyberattacks in Australia
This incident adds to a series of serious data breaches that have hit Australia in recent years, raising serious concerns about the security of citizens’ personal information.
In 2024, Qantas was again in the spotlight when a glitch in its mobile app exposed passengers’ booking details and the names of other users.
In 2023, the country’s largest port facilities, which handle 40% of its cargo, temporarily stopped operating when hackers broke into the systems of DP World.
In 2022, insurer Medibank suffered one of the largest data breaches in the country’s history, when Russian hackers gained access to the personal information of more than nine million current and former customers.
The same year, telecommunications company Optus was the target of another attack, with 9.8 million personal records being compromised – a fact that had sparked political reactions and a review of the country’s data protection legal framework.
Questions about the security of third-party providers
The new attack on Qantas brings back to the fore the issue of the security of third-party systems that work with large organizations. Although Qantas has not yet revealed who the provider of the service system that was compromised was, the case demonstrates the vulnerability that can arise from external partners, especially when they handle personal data on a large scale.
Call for stricter protection
The new cyberattack intensifies calls for the adoption of stricter rules for the protection of personal data in Australia. While the country already has privacy laws, experts say the regulations need to be modernized and enforced to hold companies more accountable for how they store and manage their customers’ data.
At the same time, the incident could also have an impact on consumer confidence in iconic companies like Qantas, which have been synonymous with reliability in the Australian market for decades.
The company has not yet announced whether it will compensate affected customers or offer identity theft protection services. The investigation is ongoing.
