Qantas Airways has confirmed a significant data breach affecting up to six million customer profiles, prompting a fresh wave of cybersecurity concerns in Australia. The airline disclosed that the breach occurred on 30 June 2025, after detecting “unusual activity” on a third-party platform used by its customer service contact centre.
The compromised data includes names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. While the full extent of the breach is still under investigation, Qantas has warned that the volume of stolen data is likely “significant.” However, the airline has reassured customers that sensitive details such as passport numbers, credit card information, and account passwords or PINs were not compromised.
Qantas responded swiftly, stating that it “took immediate steps and contained the system” following the detection of the breach. The incident has been reported to the Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner (OAIC).
“We sincerely apologise to our customers and recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson. She added that the breach does not impact flight operations or airline safety and encouraged affected customers to contact a dedicated support line for assistance.
The breach aligns with growing global concerns about cybersecurity in the airline industry. Just days before the attack, the FBI issued a warning on X (formerly Twitter), alerting aviation companies to the rising threat posed by the cybercriminal group Scattered Spider. The group is suspected to be behind recent attacks on Hawaiian Airlines, Canada’s WestJet, and UK retailers such as Marks & Spencer.
This incident is part of a troubling trend in Australia. Earlier in 2025, major organisations such as AustralianSuper and Nine Media also suffered substantial data breaches. The OAIC reported that 2024 marked the worst year for data breaches since record-keeping began in 2018.
Australian Privacy Commissioner Carly Kind stressed the need for stronger cybersecurity across both private and public sectors, warning, “The threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish.”
The Qantas breach serves as a sobering reminder of the evolving threat landscape and the urgent need for more robust data protection systems.
