Qantas Airline conducts ongoing investigations into major cyberattack that leaked customer data worldwide. Image credit: The Nightly
(The Post News) – Qantas Airways confirmed on Sunday that cyber hackers offloaded 5.7 million customers’ personal details onto the dark web. Cyber hackers linked to Scattered Lapsus$ Hunters cybercrime group stole the data in a cyber attack last July on dozens of global companies that employed a third-party customer support system.
Millions of bank, credit card, and password policy customers’ records were compromised as a result of the hacking of a Qantas call center platform. Stored information includes names, email addresses, and frequent-flyer numbers, and policies store telephone numbers, addresses, birth dates, and types of meals in some of the entries.
The credit card, banking, and password policies weren’t breached, Qantas informed. It hasn’t provided compensation but has sent letters to impacted customers and provided a 24/7 identity protection hotline.
Cybersecurity Minister Tony Burke called on Australians not to search for stolen data on the internet, as it is illegal to seek out hacked material.
No person should go searching for it, even to confirm their own information, Burke told ABC News in an interview.
Cyber security expert Troy Hunt termed Qantas’s court order to avoid data publication as useless to discourage hackers.
You can’t expect criminals to respect a court order, Hunt contended.
Cyber Attack Detains
Researchers believe that vishing, or voice phishing, was employed by the attackers to persuade Qantas employees to grant access to a system that has an affinity with Salesforce. Salesforce claimed that its app remained unbreached but was attacked via social engineering and not code attacks.
High-profile victims of this incident include Google, Disney, Toyota, IKEA, Air France-KLM, and Chanel.
NSW Supreme Court issued an order to Qantas to restrict access to the stolen data. The airline is supporting the Australian Cyber Security Centre and the federal police.
Cyber experts forecast an increase in attempted scams, as scammers leverage leaked personal data to impersonate Qantas and other genuine companies. Clients have already been victims of impersonator calls and fake emails.
Customers are warned by the authorities to:
Hang up on dubious calls claiming to be Qantas. Check emails end in @qantas.com or @qantas.com.au. Enable two-factor authentication on accounts. Never provide passwords or personal data over the phone.
Wider Cybersecurity Breaches
Australia continues to be hit with a string of massive data breaches.
Optus (2022): 9.8 million customers affected. Medibank Private (2022): 9.7 million policyholders compromised. MediSecure (2024):13 million records hacked.
In 2024, there were 1,113 breaches received by the Office of the Australian Information Commissioner (OAIC), a record number of breaches since reporting began.
Maurice Blackburn law firm is considering instituting a class action against Qantas for the breach.
The Qantas hack puts into perspective the fact that social engineering, and not software glitches, is still one of the biggest threats to corporate data. Experts say Australians need to watch out, lock down their online avatars, and wonder if their own data might already be out there.
About the Author
