Qantas warns that up to six million customers could be impacted by cyberattack

Qantas has warned that the personal information of up to six million customers may have been stolen after a “significant” cyberattack at its Philippines call centre.

It said an initial review found the stolen data included names, email addresses, phone numbers, birth dates and frequent flyer numbers.

The Australian airline said that it detected “unusual activity” after a cyber criminal targeted its Manila call centre and gained access to one of its third-party platforms on Monday.

The platform has service records of about six million customers.

It is unclear how many West Australians have been affected.

“We then took immediate steps and contained the system,” Qantas said in a statement on Wednesday morning.

“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant.”

Credit card details, personal finance information and passport details are not held on the platform, meaning frequent flyer accounts, passwords, PIN numbers and login details have not been compromised.

The airline confirmed the system had since been contained and said “all systems remain secure”.

“We understand this will be concerning for customers,” a spokesperson said.

“We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available.

“There is no impact to Qantas’ operations or the safety of the airline.”

Cyber security platform Darktrace’s field chief information security officer Tony Jarvis said initial reports showed the attack had “many hallmarks” of Scattered Spider — a ransomware group which claimed responsibility for cyber attacks against Hawaiian Airlines and Canada’s WestJet last week.

“It’s hard to say with 100 per cent certainty who was behind the attack, but you can tell with a really good level of confidence (it was Scattered Spider),” he told The West.

“(Scattered Spider) are largely known to do attacks where they call employees pretending to be from the IT help desk, and they will say, ‘There’s an issue with your account, we need to reset your password, please tell me your current username and password.

“Unfortunately employees think they’re dealing with their own internal help desk, but they’re actually talking to the cyber criminal themselves and giving away those details.

“Another common method is through multi-factor authentication bombing . . . where you start getting all these requests saying they’re trying to access the system (asking you to) please click approve.

“You deny (their access) and the same thing happens again and again, until you get so fed up you think ‘I’m just going to say OK to make these alerts go away.’”

Mr Jarvis described the incident as a “supply chain attack” and said Scattered Spider was known to blackmail large companies.

It is unclear if Qantas has fallen victim to a ransomware attack.

“This is not a direct attack on Qantas themselves . . . what we saw here, is one of the third parties or contractors that Qantas does business with, was attacked successfully,” he said.

“The attacker is leveraging a successful attack against the contact centre to get into Qantas.

“(Then the) attackers say, ‘look we’ve got the data, now you need to pay us money . . . if you don’t pay us, we are going to release all of this information publicly’.

“That usually takes the form of uploading it onto the dark web where lots of people that you don’t want accessing that data can go and download it for little or no charge.”

Mr Jarvis said the conviction rate for cyber attacks was “really low”.

“When we talk about the online world, people are hiding behind internet addresses and they can be in all sorts of far flung countries,” he said.

“We don’t have extradition agreements with every single country in the world, so even if we can find out who the attacker is, getting them convicted is a challenge of its own.”

Mr Jarvis advised Qantas passengers change their passwords and monitor the airline’s official website.

“Qantas advised that passwords were not compromised, but its still better to err on the side of caution and go and change those passwords,” he said.

“Check the Qantas website itself; don’t rely on emails being sent, because the email may look like it’s coming from Qantas, but it could be another opportunistic cyber criminal trying to leverage this attack.”

Qantas said it was putting additional security measures in place and that the Australian Federal Police, Australian Cyber Security Centre and the Office of the Australian Information Commissioner had been notified.

“We will continue to support these agencies as the investigation continues,” a spokeswoman said.

Qantas Group chief executive officer Vanessa Hudson said the airline was working with the Federal Government’s national cyber security coordinator, the Australian Cyber Security Centre and independent specialised experts.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” she said.

“Our customers trust us with their personal information and we take that responsibility seriously.

“We are contacting our customers today and our focus is on providing them with the necessary support.”

Home Affairs Minister Tony Burke said he had spoken with Cyber Security Coordinator Lieutenant General Michelle McGuinness and Qantas acting chief executive Steph Tully.

He said the airline was fully cooperating with government agencies.

“The government is working with industry experts everyday to strengthen Australia’s cyber defences,” he said.

“This includes helping sectors to test and uplift their security settings.”

Mr Burke urged Australians to protect themselves against cyber attacks by keeping their software up to date, using strong passphrases and setting up multi-factor authentication.

Shadow Cyber Security Minister Melissa Price described the incident as a “nationally significant breach”.

“We understand Qantas is cooperating with relevant authorities and it is essential this continues,” she said.

“Australians flying today should feel reassured by Qantas’ statements that operational safety has not been compromised.

“This incident should serve as a wakeup call.

“No business is immune from cyber threats and this breach highlights just how vital it is for Australian companies to treat cyber security as a boardroom level priority.”

Independent WA Senator Fatima Payman said she had personally asked Qantas to confirm whether her own data had been compromised.

“I seek clarity on the protections Qantas is offering to high-risk individuals, such as parliamentarians, business leaders, and other public figures, who may now be more exposed to malicious cyber activity,” she said.

“I would also appreciate a detailed outline of the cyber security improvements Qantas has adopted following previous incidents, including how third-party vendors and offshore call centres are being vetted and secured moving forward.

“As our national carrier, Qantas bears a responsibility to set the benchmark for cyber resilience and transparency.”

Consumer advocacy group CHOICE senior campaign and policy advisor Bea Sherwood said in a statement the incident highlighted the need for an aviation ombudsman.

“This is not the first time Qantas customers have had issues with the airline, with CHOICE giving the company a Shonky Award in 2022 for unusable flight credits, delayed flights, and more,” he said.

“Despite ongoing issues with Qantas and other airlines since, customers still don’t have an effective means of directing or resolving their complaints.

“The Australian Financial Complaints Authority and the Telecommunications Industry Ombudsman consider financial and telco complaints, including about data breaches.

“There is currently no equivalent independent body for airline customers to raise concerns - a huge gap in our consumer protection system.”

Customers can contact a dedicated support line on 1800 971 541 or +61 2 8028 0534 and will have access to specialist identity protection advice and resources.

Customers can check their flight details via the Qantas app or website.