Qantas Breach Exposes Millions of Customer Records

Qantas faces renewed scrutiny after a cyber breach at an offshore call centre exposed personal data tied to 5.67 million customer records.
Updated on

The OAIC report states the incident stemmed from a cyberattack on a call centre database used to service Qantas customers. The system stored names, street addresses, phone numbers, dates of birth and email addresses. It also contained frequent flyer numbers, status tiers and seat and meal preferences for millions of travellers. The regulator notes that no credit card details, passports or other financial information sat on the compromised Manila-based database.

Investigators describe the attacker as a “threat actor posing as Qantas IT help” who targeted the offshore operation. By impersonating internal support, the cybercriminal persuaded a call centre agent to grant access to a customer platform. The breach was triggered on Saturday 28 June 2025 when the agent authorised the access request. That single approval unlocked the trove of personal and travel data tied to 5.67 million customer records.

Privacy specialists argue the breach shows how social engineering can sidestep technical controls and standard cybersecurity defences. The attack exploited trust in internal IT support, rather than hacking around system safeguards. It also highlighted the risk concentration created when global airlines centralise sensitive customer information in outsourced call centres.

Sources

Updated on

Our Daily Newsletter

Everything you need to know across Australian business, global and company news in a 2-minute read.