
Australian airline Qantas confronted a major cybersecurity crisis during 2025, with two distinct incidents compromising millions of customer records and targeting core booking infrastructure. The breaches exposed critical vulnerabilities in third-party service platforms while triggering extensive legal and technical countermeasures from the nation’s flag carrier.
The primary incident occurred in July 2025, when threat actors exploited a customer servicing platform used by Qantas’s Manila call center, ultimately stealing data affecting 5.7 million customers. A secondary ransomware attempt in October specifically targeted the airline’s booking systems, though security teams detected and contained this attack before sensitive data could be encrypted.
What Happened in the Qantas Cyber Incident?
Third-party platform compromise via social engineering
Detected June 30, 2025; Disclosed July 2025
5.7 million customer records
Data leaked on dark web October 11-13, 2025
- 5.7 million customer records compromised across two severity tiers
- Attack exploited external customer service platform rather than core airline systems
- Scattered Spider (UNC3944) threat group attributed with high confidence
- Separate ransomware attempt targeted booking systems in October 2025
- Credit card and financial information remained secure throughout incidents
- NSW Supreme Court injunction obtained to prevent data utilization
- Represents Australia’s most significant breach since Optus and Medibank in 2022
| Fact | Detail |
|---|---|
| Date Detected | June 30, 2025 |
| Initial Disclosure | July 1-2, 2025 |
| Official Confirmation | July 9, 2025 |
| Attack Vector | Social engineering via third-party platform |
| Records Compromised | 5.7 million total |
| High-Impact Records | 1.7 million (PII + Frequent Flyer details) |
| Standard Records | 4 million (contact info only) |
| Threat Actor | Scattered Spider (UNC3944) |
| Extortion Contact | July 7, 2025 |
| Data Release Date | October 11-13, 2025 |
| Ransomware Attempt | October 8, 2025 (booking systems) |
Attack Vector and Methodology
Threat actors executed the breach through social engineering targeting call center operations, specifically exploiting a third-party customer servicing platform used by Qantas’s Manila operations rather than the airline’s core internal systems. The methodology involved MFA fatigue attacks against administrative accounts combined with impersonation of help desk personnel to gain unauthorized access.
Threat Actor Attribution
Cybersecurity analysts attributed the July breach to Scattered Spider (UNC3944) with high confidence. Supporting evidence included an FBI warning issued days before the breach specifically alerting about Scattered Spider targeting airlines, alongside attack methodologies consistent with the group’s known tactics. This threat actor had previously been linked to attacks on Hawaiian Airlines and WestJet.
What Data Was Affected and Who Was Impacted?
High-Impact Customer Records
Approximately 1.7 million customers had high-impact records compromised. These records contained names, email addresses, phone numbers, residential addresses, dates of birth, and Frequent Flyer account details. This subset represented the most sensitive customer information accessible through the breached platform.
Standard Records
An additional 4 million customers had standard records exposed, containing names, email addresses, and Frequent Flyer numbers. While less comprehensive than the high-impact tier, this data still provides sufficient detail for targeted phishing campaigns and identity verification attempts.
Credit card details and personal financial information were not compromised during the July breach. Qantas confirmed that payment data remained secure throughout the incident, as the affected third-party platform did not process or store financial transaction information.
The 5.7 million total affected customers divides into two distinct categories: 1.7 million with comprehensive personal identifiers and 4 million with basic contact information. All impacted individuals held Qantas Frequent Flyer accounts.
Customers seeking retail updates in regional Victoria might view Harvey Norman Warrnambool – Latest Offers and Opening Times for local shopping information while monitoring their accounts.
Qantas’ Response and Current Status
Immediate Containment Measures
Following detection on June 30, 2025, Qantas implemented immediate containment steps to secure the compromised platform and prevent further unauthorized access. The airline increased team training protocols and strengthened system monitoring and detection capabilities across its customer service infrastructure.
Legal Action and Injunctions
Qantas obtained an ongoing injunction through the NSW Supreme Court to prevent the stolen data from being accessed, viewed, released, used, transmitted, or published. This legal mechanism remains active as the airline continues efforts to limit distribution and utilization of the compromised information on dark web markets.
The NSW Supreme Court injunction creates legal liability for anyone knowingly handling the stolen Qantas data. This includes dark web purchasers, data brokers, and criminal networks attempting to monetize the breached records.
October Ransomware Attempt
On October 8, 2025, Qantas publicly confirmed a separate ransomware attempt targeting the airline’s booking systems rather than sensitive customer data categories. Security teams detected unauthorized access quickly, triggering immediate forensic analysis and public disclosure. This incident involved unidentified hackers distinct from the July breach actors.
For information on financial obligations in property transactions, see What is Stamp Duty – UK Rates and Thresholds from April 2025.
Timeline of the Qantas Cyber Incident
- : Unusual activity detected on third-party customer servicing platform at Manila call center (Source)
- : Public disclosure of cyberattack initiated (Source)
- : Threat actors contact Qantas with extortion attempt (Source)
- : Comprehensive breach confirmation and customer notification completed (Source)
- : Scattered LAPSUS$ Hunters launch Data Leak Site listing 39 victims with final ransom deadline (Source)
- : Qantas confirms separate ransomware attempt targeting booking systems (Source)
- : Ransom deadline passes without payment (Source)
- : Public data dump executed on dark web including Qantas and Vietnam Airlines information (Source)
What Has Been Confirmed?
| Established Information | Information That Remains Unclear |
|---|---|
| 5.7 million customer records compromised | Specific individuals within Scattered Spider responsible |
| Scattered Spider (UNC3944) attribution | Whether ransom demands were monetary or data-deletion focused |
| Social engineering via MFA fatigue | Exact number of threat actors with direct access |
| Financial data remained secure | Long-term dark web distribution scope |
| Data publicly dumped October 11-13 | Specific booking system vulnerabilities in October attempt |
| NSW Supreme Court injunction active | Full technical forensics of October ransomware attempt |
Historical Context and Industry Impact
The July 2025 breach represented Australia’s most high-profile cyberattack since telecommunications provider Optus and health insurer Medibank suffered major incidents in 2022. Those previous breaches prompted the implementation of mandatory cyber resilience laws across Australian critical infrastructure sectors, establishing the regulatory framework under which Qantas’s response was evaluated.
The incidents highlighted persistent vulnerabilities in airline industry supply chains, particularly third-party customer service platforms that process loyalty program data. The targeting of Frequent Flyer information suggests threat actors value aviation loyalty data for spear-phishing campaigns against high-net-worth travelers and corporate accounts.
Aviation sector cybersecurity has become increasingly critical as airlines digitize passenger services and loyalty programs. The Qantas incidents demonstrate how threat actors pivot from direct network intrusions to exploiting weaker links in outsourced service provider ecosystems.
Official Statements and Expert Analysis
“The ongoing injunction through the NSW Supreme Court remains in place to prevent the stolen data from being accessed, viewed, released, used, transmitted or published.”
— Qantas Official Cyber Incident Statement
“Scattered Spider’s targeting of airline customer service platforms represents an evolution in social engineering tactics, focusing on outsourced operations with privileged access to loyalty databases.”
— Cybersecurity Incident Analysis, CISO Platform
Current Status and Key Takeaways
As of late 2025, the stolen Qantas customer data remains in circulation on dark web forums following the October public dump, while the NSW Supreme Court injunction continues providing legal recourse against data handlers. The airline maintains enhanced monitoring protocols and has not reported additional successful intrusions since the October ransomware attempt was contained. Affected customers should maintain vigilance against phishing attempts leveraging Frequent Flyer information and verify communications directly through official Qantas channels.
Frequently Asked Questions
Who is behind the Qantas hack?
The July 2025 breach was attributed to Scattered Spider (UNC3944), a threat group known for social engineering attacks against airlines. The October ransomware attempt involved unidentified hackers.
Was the Qantas incident a ransomware attack?
The July incident was a data breach with extortion demands, while a separate ransomware attempt occurred in October 2025 targeting booking systems. The July breach resulted in public data release after non-payment.
How many customers were affected?
5.7 million customers total: 1.7 million had high-impact records including addresses and dates of birth compromised, while 4 million had standard records with names, emails, and Frequent Flyer numbers exposed.
Was my credit card information stolen?
No. Qantas confirmed credit card details and personal financial information were not compromised, as the breached third-party platform did not process payment data.
Has the stolen data been released?
Yes. After a ransom deadline passed on October 10, 2025, threat actors publicly dumped Qantas customer data on the dark web between October 11-13, 2025.
What is Qantas doing to protect affected customers?
Qantas obtained an ongoing NSW Supreme Court injunction to prevent data use, increased security training, strengthened monitoring systems, and notified all affected customers directly.
Are the July and October incidents connected?
No evidence suggests connection between the July data breach (Scattered Spider) and the October ransomware attempt (unidentified actors). They targeted different systems using different methods.



