A Qantas call centre has been the target of a major cyber attack, with the data and records of up to 6 million customers being stolen.
Qantas is continuing to investigate the proportion of the data that has been stolen, though it expects the amount will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
However, credit card details, personal financial information and passport details are not held in the system that was breached. No frequent flyer accounts were compromised, nor have passwords, PIN numbers or login details been accessed.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” Qantas Group chief executive officer, Vanessa Hudson, said in a statement.
“Our customers trust us with their personal information, and we take that responsibility seriously. We are contacting our customers today, and our focus is on providing them with the necessary support.
“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts”.
As Qantas conducts the investigation, it has upped its security measures to further restrict access and strengthen system monitoring and detection.
The Australian Cyber Security Centre and the Office of the Australian Information Commissioner have been notified by Qantas. Given the criminal nature of this incident, the Australian Federal Police has also been notified. The airline said it will continue to support these agencies as the investigation continues.
Qantas has established a customer support line and a dedicated page on qantas.com to provide customers with the latest information. It will continue to share updates via its website and social channels.
While it’s too early to tell the impact on Qantas’s brand, the airline hasn’t had the easiest run of things recently.
Josh Bornstein, who represented the Transport Workers Union (TWU) in its 2020 case against Qantas over the airline’s illegal sacking of some 1,820 ground handling employees during the COVID pandemic, said the brand had engaged in corporate “ethics washing” and heavily damaged the airline’s brand in the process.
The TWU won the case and a High Court appeal in 2023, but the final penalty amount is yet to be settled.
Qantas’s response is certainly swifter than Optus’ following its 2022 data breach, when it took four days for the announcement of the major breach to be emailed to all the 9.8 million people impacted.
Optus’ response to the data breach was heavily criticised by many in the weeks and months that followed. Mark Forbes, director of corporate PR and crisis comms agency Icon Reputation, told B&T that customer comms had been “poor and slow”.
“Surely an immediate mass email warning all 11 million Optus customers would have been more efficient, especially as the customer emails contained no personalised information about what data had been stolen,” he added, noting that none of the emails said the company was sorry.
Instead, Optus expressed “great disappointment” that it had been the victim of a cyberattack.
Following a TicketMaster data breach in 2024, Nigel Phair, a professor in Monash University’s Department of Software Systems & Cybersecurity, said companies aren’t investing enough to protect consumers’ data.
“Significant data breaches are becoming all too common. The current legislative approach is clearly not working, as organisations are still not putting sufficient effort into cyber risk management,” he said.
The damage caused by large data breaches can be substantial. A new study by Honeycomb Strategy revealed that nearly half of Optus and Medibank customers had either switched to competitors or were planning to in the wake of large-scale data breaches at the telco and insurance firm.
As Qantas begins sweeping up the chaos from this data breach, Aussie consumers must surely be sick and tired of data breaches after data breaches, with calls for greater brand safety likely to follow.
