Qantas confirms cyberattack on third-party call center app

Leading Australian airline Qantas confirmed July 2 that it experienced a cyberattack on a third-party customer service platform in one its call centers.

The incident raised alarms before the height of the busy July 4^th travel season in the United States. It also follows warnings from Google Cloud and Palo Alto Networks that ransomware group Scattered Spider was targeting airlines after a series of attacks on retailers.  

While Qantas has not confirmed which threat group was responsible, security pros said it bears the hallmarks of Scattered Spider: the same group behind recent attacks on Hawaiian Airlines and Canada’s WestJet Airlines.

"While Scattered Spider has a history of targeting global organizations, including those in Australia, it’s too early to tell if they’ve expanded their current targeting to Australian airline organizations,” said Charles Carmakal, chief technology officer at Mandiant Consulting, Google Cloud. “Global airline organizations should be on high alert of social-engineering attacks and increase identity verification rigor of their help desk.”

In a release issued by Qantas, the company said there are 6 million customers who have service records in the affected platform.

“We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant,” said the airline. “An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

Qantas added that credit card details, personal financial information and passport details are not held in the affected system. Frequent flyer accounts were not compromised; passwords, PIN numbers or log in details were not accessed.

Toby Lewis, global head of threat analysis at Darktrace, said the attack was most likely a compromise of a third-party platform such as Salesforce or Zendesk.

“The attack follows their typical playbook: steal legitimate login credentials to walk into systems where critical security protections often aren't enabled by default, while operating from Western countries to appear as legitimate users and bypass standard security filters,” said Lewis. “Expect the stolen customer data — names, emails, birthdates, frequent flyer numbers — to fuel convincing phishing campaigns targeting loyalty programs and tricking customers with fake payment requests using real booking details.”

Ted Miracco, chief executive officer at Approov, said the recent attacks on airlines highlight systemic vulnerabilities in mobile apps and third-party supply chain systems, compounded by a lack of social-engineering defenses and incident response protocols. 

“The aviation industry must recognize the evolving cyber threat landscape based on agentic AI and proactively implement measures to safeguard against future attacks,” said Miracco. “These measures must get beyond MFA, and incorporate a comprehensive zero-trust approach to API security. “

Ira Winkler, vice president and Field CISO at CYE, added that there are several layers to this incident. First, we are dealing primarily with third-party security vulnerabilities. Winkler said we now have yet one more incident to demonstrate that third parties need to adhere to the same data protection standards that are implemented internally.

“While I wish they would identify the criminals with some actual descriptive moniker, such as 'Organized Criminal Hacking Organization' or 'North Korean Government Hackers' to portray the urgency of the attack as opposed to naming it like a Marvel comics villain, we need to understand what the intentions of the criminals are,” said Winkler. “What is the threat to end victims of the compromised customers? Are the criminals potentially going to manipulate airline data to get terrorists on airplanes?”