What to Learn From the Qantas Airline Cyber Breach

Qantas has suffered a major cyber-attack, potentially exposing the records of up to 6 million customers.

On the topic of the breach, which occurred in the summer of 2025, the airline stated that the affected system had now been contained and its systems were secured. The system in question was a third-party platform used by the airline’s contact centre, which contains the records of 6 million customers.

The data includes customer names, email addresses, phone numbers, birth dates and frequent flyer numbers. It did not contain credit card details, financial information or passport details. Frequent flyer accounts were not compromised; neither were passwords, Pins, or login details.

Today, we look at the key takeaways from this cyber breach... and what other organizations can take on as preventative measures to fortify against similar security risks.

Recovery Steps Following the Qantas Airlines Data Breach

In an updated statement to customers on the Wednesday following the initial breach, Qantas representatives stated that the cybercriminal had “targeted a call centre and gained access to a third-party customer servicing platform”.

The identity of the attacker is not yet known, but is believed to bear similarities to the tactics of the so-called Scattered Spider ransomware group that had been targeting airlines and retail stores in the US and UK.

The Guardian reported in May that Scattered Spider is unusual among hacking groups deploying ransomware because it is composed of native English speakers from countries such as the UK, US, and Canada.

The FBI cautioned airlines in the US that the group was targeting the aviation sector. In a post on X, the FBI said the group uses social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access, and bypassing multi-factor authentication.

“They target large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk,” the FBI said. "They then steal sensitive data for extortion and often deploy ransomware that locks up company systems."

What We've Learned: Why Planning Past 30 Days Post-Breach is Critical

When a cyber incident hits, teams prioritize the first 30 days of post-containment.

However, the real test begins afterwards... and can span years. This aftermath is where reputation, compliance, customer trust, and financial liability converge: and the Qantas Airlines cyber breach is just one of many examples of this.

Detailing the following is crucial to long-term recovery success:

• Key dwell time metrics to benchmark against industry standards (and plan your cyber roadmap against future breaches)

• Logging key IRP metrics to provide to insurance companies, relevant police forces, and key stakeholders

In addition, following every cyber incident, organizations should provide up-to-date cybersecurity training for staff, teaching cybercrime-related “fire drills” to test employees on their emergency knowledge, using a virtual private network (VPN) to protect from Wi-Fi related vulnerabilities, and ensuring that all stakeholders are briefed on any updates to the organization’s incident response plan.

Additional Lessons: Mitigating Third-Party Risks

From suppliers to software providers to service providers, businesses extend their risk profiles by engaging third parties as a means to gain a competitive advantage. As some have deemed this trend the ‘rise of the extended enterprise’ (companies relying on a network of third-party vendors to provide them with organizational value and a competitive advantage) must come to terms with the reality that this effectively extends risk vectors.

A process of third-party risk management is essential for business continuity and organizational integrity. Over the past several years, the use of third-party vendors (TPV) has increased exponentially. More frequently, companies outsource even primary functions to improve efficiencies and financial savings.

New Australian Cyber Breach Disclosure Regulations: The Impact

Qantas representatives have confirmed that the company has informed the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian federal police. The airline’s chief executive, Vanessa Hudson, confirmed the company had recruited independent specialized cybersecurity experts to investigate the matter.

Cyberattacks remain on the increase in Australia, after superannuation funds in April suffered hacks on a small handful of customers that resulted in more than $500,000 being taken from their accounts.

In May, the Office of the Australian Information Commissioner said the number of data breaches reported under the mandatory notification scheme had increased by 25% in 2024, compared with 2023.

According to the report covering July 1st to December 31st 2024, there were 595 data breaches in the latter half of the year, taking the total number of breaches reported that year to 1,113, up 25% from 893 in 2023.

So far this year, the highest number of reports came from health providers (121) followed by government (100), finance (54), legal and accounting (36), and retail (34). The 2025 report also found 69% of the data breaches occurred due to malicious or criminal attack, with phishing being the most common at 34% of such incidents. It was followed by ransomware at 24%.

The majority of reported breaches affected fewer than 5,000 people each, but two were reported to affect between 500,000 and 1 million people. Most personal information in the breaches comprised contact information, ID information or financial or health information.

Conclusion

In 2025, preventative penetration testing has never been more critical. The Qantas Airline cyber breach outlines why companies across Australia need to treat cyber risks as a core business threat.