Qantas Data Breach Exposes Contact Centre Weakness

The recent cyber attack on Qantas has highlighted a critical issue for both the telecommunications and airline sectors: the cybersecurity risk posed by third-party service providers.

The breach, confirmed by the airline in early July, resulted in the compromise of personal data belonging to approximately six million Qantas customers.

Contact centre platform breached

Unusual activity was first detected on 30 June in a third-party system used by Qantas’ contact centre operations.

The airline responded swiftly, initiating containment measures upon discovery. However, cybersecurity investigators have warned that attackers are now likely in possession of significant amounts of customer data.

Qantas has confirmed that the breach did not impact its core flight operations or safety systems.

The compromised data includes customer names, email addresses, mobile numbers, birth dates and Qantas Frequent Flyer membership numbers. Critically, Qantas clarified that credit card numbers, bank details, login credentials and passport data were not stored on the affected platform.

The airline highlighted that Frequent Flyer passwords and financial data remain secure.

Experts have expressed concern about how reliance on customer-facing communications infrastructure exposes aviation providers to threat actors.

Aakin Patel, former Chief Information Security Officer at Harry Reid Airport in Las Vegas, pointed to a broader vulnerability.

“Airlines rely heavily on call centres for many of their support needs,” he told CNN. “That makes them a likely target for groups like this.”

His remarks highlight an issue facing telecommunications vendors that serve high-profile clients: third-party communications platforms are becoming increasingly attractive to cybercriminal groups seeking mass data access.

A swift and public response

Vanessa Hudson, CEO of Qantas Group, issued a formal apology, acknowledging the potential impact on customer trust.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” she said. “Our customers trust us with their personal information and we take that responsibility seriously.”

In response, Qantas has established a dedicated customer hotline and launched an incident-specific web page to keep affected individuals informed. These actions form part of a broader incident response effort involving both internal teams and external partners.

Coordinated government involvement

Qantas has notified several government bodies, including the Australian Federal Police, the Office of the Australian Information Commissioner and the Australian Cyber Security Centre. The airline is cooperating with the National Cybersecurity Coordinator and independent cybersecurity experts to assess the full scope of the breach.

Internal system access protocols are being reviewed and strengthened while enhanced monitoring capabilities are being implemented across the airline’s digital ecosystem.

Aviation sector is under sustained attack

The Qantas breach is the latest in a string of attacks on global airlines. Within the same fortnight, Hawaiian Airlines and WestJet fell victim to cyber incursions.

These incidents have occurred against a backdrop of increasing geopolitical tension and heightened cyber activity targeting the aviation industry.

Jeffrey Troy, CEO of Aviation ISAC, commented: “Our members are keenly alert to attacks from financially motivated attackers and collateral impacts emanating out of geopolitical tensions around the world.”

Cybercrime & the challenge for law enforcement

The cybercrime group Scattered Spider, already linked to attacks on UK supermarket supply chains, is suspected of targeting airlines.

Its decentralised structure presents a unique challenge to law enforcement.

Elliot Dellys, CEO of Australian cybersecurity firm Phronesis Security, notes: “Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom.”

“This makes effective action by law enforcement to take down the group and its infrastructure, difficult to coordinate and execute.”

He adds: “If this incident is the result of a third-party compromise, it adds to an increasing list of major Australian organisations that have done their utmost to secure data, just to have it exposed via a third party.”

Implications for Telcos and data security provider

Telcos serving enterprise clients in critical sectors must reassess the security architecture of their platforms to ensure optimal protection.

As contact centres continue to act as digital front doors for organisations, especially in industries such as aviation, healthcare and finance, the security of the communications infrastructure becomes as vital as the integrity of core operational systems.

The Office of the Australian Information Commissioner reported that 2024 was the worst year for data breaches on record.

With Privacy Commissioner Carly Kind warning that cyber threats are showing “no signs of slowing,” vendors across the telco sector will need to tighten partnerships with clients and deliver robust, resilient and regularly-audited cybersecurity solutions.