Qantas cyberattack update: 5.7 million customers at risk as names, emails, addresses, phone numbers stolen

The names, addresses, email addresses and dates of birth of millions of Australians are now in the hands of cybercriminals, in the wake of last week’s Qantas hack.

The airline has revealed that cybercriminals are in possession of highly sensitive personal information - including names, addresses and dates of birth – of 5.7 million customers in the wake of the cyberattack on a third-party call centre in Manila.

While 1.2 million customers names and email addresses were compromised, another 2.8 million included those details plus their frequent fly number.

Concerningly, the remaining 1.7 million customers had far more details stolen in the attack, with the airline confirming that 1.3 million customers’ residential or businesses addresses were included in the data breach. Of the 1.7 million, 1.1 million had their date of birth, 900,000 had their phone number, and 400,000 their gender.

About 10,000 customers’ meal preferences were also exposed in the breach.

Despite the highly sensitive nature of the information stolen, Qantas was quick to try and reassure customers, noting that no credit card details, personal financial information or passport details were stored in the system that was hacked and “therefore has not been accessed”.

Some addresses stolen were hotel addresses for lost luggage delivery and “there continues to be no impact to Qantas Frequent Flyer accounts,” the airline said.

Qantas said it was progressively emailing affected customers to advise them of the types of personal data that had been stolen.

“Our absolute focus since the incident has been to understand what data has been compromised for each of the 5.7 million impacted customers and to share this with them as soon as possible,” Qantas Group chief executive Vanessa Hudson said.

“From today we are reaching out to customers to notify them of the specific personal data fields that were held in the compromised system and offer advice on how they can access the necessary support services.”

Security experts warn scam attempts may skyrocket in the wake of the hack similar to the rise in impersonation attacks when Optus was hacked in 2022, exposing 10 million customers’ details.

Legal experts suggest the incident could lead to a class action against Qantas, after compensation claims were made against Optus and Medibank following major breaches in 2022.

Qantas has warned customers to be alert to email, text messages or phone calls from persons purporting to be from Qantas, and to always independently verify the identity of the caller by contacting them through official Qantas channels.

Cybersecurity experts have also advised everyone should ensure they don’t use the same passwords across multiple logins, and activate two-factor authentication on all possible accounts.

On July 2, Qantas announced that a Manila-based call centre was compromised in a so-called ‘vishing’ attack, where cyber criminals pose as trusted entities to trick victims into releasing sensitive data such as login credentials.

The attack was similar to ones that affected customers of North America’s Hawaiian Airlines and WestJet in recent weeks and is believed to be perpetrated by a UK and USA-based cyber criminal group called Scattered Spider.

The group is a loose affiliate of mostly English speaking hackers who talk their way into accessing corporate computer systems, then on-sell the login information to outside cyber criminals who then install ransomware and try to extort payment.

“As this is a criminal matter, we have engaged the Australian Federal Police and won’t be commenting any further on the detail of the contact,” a Qantas spokesperson said.