Qantas has confirmed it is being extorted by cybercriminals after a recent data-theft attack potentially exposed sensitive information belonging to nearly six million customers. The airline revealed the extortion attempt in a statement on July 6, saying a threat actor had made contact and that federal authorities were now involved.
“A potential cyber criminal has made contact, and we are currently working to validate this,” Qantas said.
“As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the details of the contact.”
Data Breach Originated from a Third-Party Vendor
The breach was initially disclosed on July 1 after Qantas detected unusual activity in a third-party system used by one of its contact centres. According to the airline, the compromised data includes:
- Names
- Email addresses
- Phone numbers
- Dates of birth
- Frequent flyer numbers
Crucially, Qantas clarified that financial information, passport numbers, passwords, PINs, and login credentials were not affected.
Customers Warned About Phishing Risks
The airline is urging customers to be cautious of potential phishing scams leveraging the stolen data.
Qantas emphasized that any official communication would come from the “@qantas.com” domain and reminded customers that the airline will never ask for login credentials, passwords, or ticket confirmation codes via email, SMS, or phone call.
Linked to Scattered Spider’s Aviation Campaign
The Qantas cyberattack is part of a broader campaign attributed to threat actors associated with Scattered Spider, a group known for its advanced social engineering tactics. These attackers commonly target help desks and third-party service vendors to manipulate password resets and multi-factor authentication bypasses.
The same group has previously been linked to attacks on:
- Marks & Spencer and Co-op (retail sector, April)
- WestJet and Hawaiian Airlines (aviation sector)
- Multiple insurance firms
In the case of M&S, attackers successfully impersonated an employee and tricked a service desk into resetting login credentials and MFA protections—mirroring the tactics suspected in the Qantas breach.
Investigation Underway with National Agencies
Qantas is now working closely with:
- Australian Federal Police (AFP)
- Australian Cyber Security Centre (ACSC)
- Office of the Australian Information Commissioner (OAIC)
- External cybersecurity experts
The full scope of the breach and the nature of the extortion demand remain undisclosed. As of now, no ransomware payload has been confirmed, and Qantas has not attributed the breach to any specific group publicly.