Australian flag carrier Qantas confirmed on July 2, 2025 that a cyberattack against a third-party platform used by one of its contact centres exposed personal data belonging to approximately 6 million customers. The airline detected the intrusion on June 30, contained the affected system, and stated that its core operational systems remain secure. The incident ranks among the largest disclosed breaches in Australian history and reignites concerns over third-party risk in the aviation sector.

What Happened

On Monday, June 30, 2025, Qantas detected unusual activity on a third-party platform used by one of its airline contact centres. The company says it took immediate containment steps and confirmed that its internal Qantas systems were not compromised. The breach was disclosed publicly on July 2 via an official company announcement and an accompanying customer FAQ.

Qantas has not publicly identified the affected vendor, but the airline is a known customer of contact-centre platforms including Salesforce and Genesys, both of which are commonly deployed in airline customer-service environments. The airline has stated it is still investigating the full proportion of records actually exfiltrated, but expects the volume to be "significant."

What Was Taken

The compromised platform held personally identifiable information for up to 6 million customers, including:

• Full names
• Email addresses
• Phone numbers
• Dates of birth
• Frequent flyer numbers

Qantas confirmed that the affected platform did not store credit card numbers, other financial data, or passport details. While the data set excludes payment credentials, the combination of name, date of birth, contact details, and loyalty account identifiers provides attackers with a high-quality dataset for phishing, account takeover of frequent flyer balances, and identity verification fraud.

Why It Matters

Nearly half of Australia's population is enrolled in the Qantas Frequent Flyer program, and the scheme is tightly integrated with banks, retailers, and energy providers. A breach of this scale risks downstream exposure across those commercial partners if attackers pivot loyalty data into broader credential stuffing or social engineering campaigns.

The incident lands in a country still reeling from the 2022 Medibank breach (10 million records) and the Optus breach (9 million records). If the blast radius widens to partner ecosystems, Qantas could join that tier of nationally significant cyber events. The case also reinforces a pattern seen repeatedly across 2024 and 2025: large enterprises being compromised not through their own perimeter, but through SaaS and contact-centre platforms operated by third parties.

The Attack Technique

Qantas has not publicly attributed the intrusion or disclosed the initial access vector. The attack pattern, targeting a third-party contact centre platform holding bulk customer PII, is consistent with recent campaigns by financially motivated threat actors who have aggressively targeted call-centre infrastructure, CRM tenants, and customer-support SaaS to harvest data for extortion.

Notably, this disclosure aligns in timing with a broader wave of activity by the Scattered Spider cluster (UNC3944), which has publicly pivoted toward the aviation sector in mid-2025 and is known for social-engineering help desks, abusing SSO and MFA reset workflows, and exfiltrating data from cloud CRM tenants. No formal attribution has been made by Qantas at this time.

What Organizations Should Do

1. Inventory third-party contact-centre and CRM exposure. Identify every SaaS platform that stores customer PII on your behalf, including Salesforce, Genesys, AWS Connect, NICE, and Five9 deployments, and validate the data classification stored in each.
2. Harden help desk and identity workflows. Implement out-of-band verification for MFA resets, SSO recovery, and privileged account changes to defeat voice-based social engineering attacks targeting service desks.
3. Enforce least privilege in SaaS tenants. Limit bulk export, API token scope, and report generation rights inside CRM and contact-centre platforms; alert on anomalous bulk data pulls.
4. Monitor for loyalty account abuse. Customers of breached airlines and retailers should expect credential-stuffing and account-takeover attempts targeting points balances; deploy bot mitigation and anomaly detection on loyalty endpoints.
5. Prepare phishing detection rules. Build detections for spoofed Qantas-branded emails and SMS that reference frequent flyer numbers or birth dates as legitimacy hooks.
6. Review vendor contracts and IR clauses. Confirm that third-party platform providers are contractually required to notify within defined SLAs, preserve forensic evidence, and grant log access during incident response.

Sources: Qantas reveals data theft impacting six million customers