Australian airline Qantas has disclosed a cyberattack involving unauthorized access to a third-party customer platform, with a significant amount of customer data likely compromised.
Threat Actors Breach Qantas Contact Center Platform
Qantas Airways, the country’s largest airline, confirmed a data breach after attackers gained unauthorized access to a third-party system used by a customer contact center. The breach, which was detected on Monday, impacted a platform housing service records for nearly six million customers.
In a public statement, Qantas said:
“On Monday, we detected unusual activity on a third-party platform used by a Qantas airline contact centre. We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure.”
An internal review found that customer names, email addresses, phone numbers, birth dates, and frequent flyer numbers were among the compromised data. However, no credit card or financial details, passwords, PINs, or login credentials were exposed.
Large-Scale Exposure and Regulatory Involvement
Qantas said it expects the volume of compromised data to be “significant” and is continuing to assess the extent of the breach. The airline has reported the incident to the Australian Cyber Security Centre (ACSC), the Office of the Australian Information Commissioner (OAIC), and the Australian Federal Police.
There is no confirmation yet whether external forensic firms are assisting in the investigation.
Scattered Spider’s Role in Ongoing Aviation Sector Attacks
The breach occurred amid heightened warnings from cybersecurity researchers about Scattered Spider, a threat group increasingly targeting the aviation and transportation sectors. While Qantas has not formally attributed the incident to this group, researchers say the attack shares notable characteristics with other recent intrusions linked to them.
Scattered Spider—also tracked under names like 0ktapus, UNC3944, Muddled Libra, and Scatter Swine—is known for advanced identity-based attacks. Their techniques include phishing, SIM swapping, MFA bombing, and impersonating employees in help desk calls to capture credentials and infiltrate internal systems.
In recent months, the group has been linked to attacks on:
- MGM Resorts, where over 100 VMware ESXi hypervisors were encrypted.
- Caesars Entertainment, allegedly breached using social engineering.
- Hawaiian Airlines and WestJet, believed to be part of a broader campaign in the aviation sector.
In the WestJet incident, attackers leveraged a self-service password reset feature to gain internal access—mirroring the tactics suspected in the Qantas breach.
Ongoing Campaign Signals Sector-Wide Vulnerabilities
Scattered Spider operates with a sector-specific targeting model, focusing on one industry at a time. After impacting retail and insurance sectors earlier this year, the group has now turned its attention to aviation.
Cybersecurity firms including Google’s Threat Intelligence Group and Palo Alto Networks have warned that these attacks exploit identity management weaknesses, including third-party platforms and internal support channels.
Organizations defending against these threats are advised to:
- Secure password reset mechanisms.
- Harden access to help desk systems.
- Monitor identity and access management (IAM) platforms.
Other known victims linked to this threat actor include Twilio, Coinbase, MailChimp, Reddit, M&S, Erie Insurance, DoorDash, Co-op, and Aflac.
Ransomware, Recovery, and the Need for Immutable Backups
As identity-based intrusions increasingly lead to ransomware deployment, sectors like aviation are facing rising stakes. Many of Scattered Spider’s operations have led to full network encryption using ransomware families like BlackCat, RansomHub, and Qilin.
These attacks frequently target virtual infrastructure, such as VMware environments, leaving victims locked out of core systems. For enterprises handling large volumes of sensitive data, a fast recovery depends on more than incident response—it requires backup environments that cannot be tampered with, even by advanced threat actors.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.