Your go-to hub for Expert Insights,
Publications, and Resources on
data privacy and compliance

Qantas Airways has confirmed a significant data breach that may have exposed the personal information of up to six million individuals, following a cyberattack targeting a third-party customer service platform used by the airline.

In a statement released by the company, Qantas reported detecting "unusual activity" on June 30 on the platform linked to its contact centre operations. The compromised system held customer data including full names, email addresses, phone numbers, dates of birth, and frequent flyer membership numbers.

While investigations into the breach are ongoing, Qantas has stated that the volume of data potentially accessed is expected to be “significant.” However, the airline assured the public that no financial details, passwords, passport information, or frequent flyer account credentials were stored in the affected system.

The breach was promptly contained after it was discovered, and Qantas is currently working with cyber forensic experts to assess the full scope of the incident. The Australian Federal Police, the Australian Cyber Security Centre, and the Office of the Australian Information Commissioner (OAIC) have all been notified.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” said Qantas Group CEO Vanessa Hudson. She added that a dedicated support line has been established for affected individuals and confirmed that there is no impact on airline operations or safety protocols.

This incident follows a rising wave of cyberattacks targeting the aviation industry, including recent strikes against Hawaiian Airlines and Canada’s WestJet. The U.S. Federal Bureau of Investigation (FBI) recently issued an alert warning of ongoing threats from the cybercriminal group “Scattered Spider,” believed to be behind several high-profile intrusions globally.

Qantas’ breach adds to a growing list of Australian organisations affected by cyber incidents in 2025, with AustralianSuper and Nine Media also reporting major data leaks in recent months.

In light of the breach, Australian Privacy Commissioner Carly Kind reiterated the need for stronger cybersecurity practices across sectors. “The trends we are observing suggest the threat of data breaches, especially through the efforts of malicious actors, is unlikely to diminish,” she stated in a recent OAIC update.

As the investigation unfolds, Qantas is urging vigilance among its customer base and encouraging businesses to review their cybersecurity frameworks to mitigate future risks.