Qantas data breach affects six million

Customers are urged to be cautious of phishing attempts and to monitor their accounts for any suspicious activity. (AAP Image/Bianca De Marchi)

Qantas has confirmed a major data breach affecting up to six million customers after a cyber attack on a third-party platform used by one of its call centres.

The airline discovered unusual activity on Monday and moved quickly to contain the breach. It said personal details including names, dates of birth, phone numbers, email addresses and frequent flyer numbers were compromised. However, no credit card details, passport numbers or account passwords were accessed.

Chief executive Vanessa Hudson apologised to customers.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” she said.

“Our customers trust us with their personal information and we take that responsibility seriously.”

The breach involved a third-party system reportedly linked to a call centre based in Manila. The airline is now working with cybersecurity experts to investigate how the attackers gained access.

The cybercriminal group “Scattered Spider” is suspected of carrying out the attack. The group has previously used sophisticated social engineering to bypass security controls, including multi-factor authentication, and has been linked to incidents targeting airlines in the past.

Qantas has notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner and the Australian Federal Police.

A dedicated support line has been set up for affected customers on 1800 971 541.

Opposition cyber security spokeswoman Melissa Price described the breach as a nationally significant incident and called for continued transparency.

“This is a stark reminder of the need to strengthen our cyber protections and ensure companies are held accountable for securing personal data,” she said.

The breach follows a smaller privacy incident in May last year when a technical glitch in the Qantas app exposed passenger details. That was traced to a caching issue and not considered a cyber attack.

Customers are urged to be cautious of phishing attempts and to monitor their accounts for any suspicious activity.