Australia’s national carrier, Qantas Airways, announced on Sunday that a significant amount of its customer data has been exposed online. This leak stems from a cyberattack in July that targeted various companies globally.
In an official statement, Qantas revealed that cybercriminals illicitly obtained 5.7 million customer records. The breach occurred by targeting a third-party customer service platform used by one of its call centers. Qantas emphasized that it was not the sole victim, but rather one of several organizations worldwide caught in this widespread cyber campaign.
The airline did not specify how many of these stolen records had been publicly released, nor did it disclose the name of the affected third-party platform or any other companies involved in the attack. Qantas has yet to provide further comment on the situation.
The majority of the compromised data included essential details such as names, email addresses, and frequent-flyer information. A lesser, but still critical, subset of records contained more sensitive personal information, including customers’ business or home addresses, birth dates, phone numbers, genders, and even meal preferences.
Qantas reassured the public that no new intrusions have been detected and confirmed its full cooperation with Australian security authorities. Additionally, the airline secured a court injunction to block any unauthorized access, viewing, release, use, transmission, or publication of the stolen data.
According to Troy Hunt, a prominent cybersecurity expert based in Australia, this leak is believed to be the initial public exposure from the extensive July cyberattack. Investigators have remained tight-lipped about the identities of other affected companies or the overall scale of this malicious campaign.
However, Mr. Hunt expressed skepticism regarding the effectiveness of the court injunction, pointing out that similar legal orders in Australia and the UK have often been disregarded by criminals. He highlighted that these injunctions are, in essence, appeals to hackers not to disseminate stolen information.
In a recent interview, Mr. Hunt bluntly stated, ‘It’s completely useless.’
This incident is part of a disturbing trend in Australia, where cybercriminals have successfully compromised the personal data of millions across various sectors, including telecommunications, healthcare, and now, aviation.
For instance, in 2022, telecommunications giant Optus reported a breach affecting almost 9.8 million customers, with sensitive details like names, birth dates, and identification numbers exposed. At the time, this was considered the largest data breach in Australian history.
Also in 2022, Medibank Private, a major health insurer, announced that hackers gained access to the data of approximately 9.7 million policyholders, including private medical claim information. The Office of the Australian Information Commissioner has since initiated civil penalty proceedings against Medibank for this breach.
More recently, in 2024, the Australian federal government confirmed a cyberattack on MediSecure, an electronic prescription service provider. This incident impacted around 13 million individuals, as reported by Australia’s Department of Home Affairs.
Overall, Australian businesses and government bodies reported a record 1,113 data breaches in 2024, according to the Office of the Australian Information Commissioner. This figure represents a significant 25% increase from the 893 breaches recorded in 2023, making it the highest number since mandatory reporting began in 2018.