Did a Supply Chain Flaw Expose 6 Million Qantas Flyers Data?

When six million Qantas customers find their personal details exposed in a cyberattack, the focus quickly shifts to how it happened.

Behind the breach lies a complex web of supply chain vulnerabilities that extend far beyond a single airline.

The data breach, confirmed by Qantas, came through one of its third-party service platforms used by customer service teams.

On 30 June, unusual activity was detected on the system, prompting the airline to launch containment protocols immediately.

Unfortunately, by then hackers had already accessed key customer information including names, phone numbers, email addresses, birth dates and frequent flyer numbers, from anyone who had contacted Qantas support in the past.

Supply chain weak points 

The attack did not come through Qantas' main infrastructure or internal systems.

Instead, it was delivered through a platform used by their contact centre teams — a third-party provider tasked with managing customer interactions.

While the airline confirms that credit card numbers, login credentials, passport and financial details were not stored on the compromised system, the breach still hands over a trove of customer data to the attackers.

Security experts say this type of supply chain weakness is now one of the biggest risks facing the aviation sector.

Aakin Patel, former Chief Information Security Officer at Harry Reid Airport in Las Vegas, explains that the communication tools used by support teams are often the most vulnerable.

“Airlines rely heavily on call centres for a lot of their support needs,” he told CNN, which makes them “a likely target for groups like this”.

It’s a stark reminder that even if an organisation locks down its own internal systems, it can still be exposed through external providers. The breach adds Qantas to a growing list of businesses suffering due to the weakest links in their digital supply chain.

Qantas’ crisis response

Qantas Group CEO Vanessa Hudson has publicly apologised, posting a statement on the airline’s website.

“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” she says.

“Our customers trust us with their personal information and we take that responsibility seriously.”

Hudson confirms that Qantas' safety systems and flight operations are unaffected, and the company has launched a support line and a dedicated webpage to provide updates. Behind the scenes, Qantas is now working with the Australian Federal Police, the Office of the Australian Information Commissioner and the Australian Cyber Security Centre.

The airline has also engaged with the Federal Government’s National Cyber Security Coordinator and is relying on outside cybersecurity experts to fully assess the breach.

According to Qantas, several new measures are already being introduced, aimed at improving access control and real-time monitoring to reduce risk going forward.

Pressure mounts as aviation sector becomes a cyber target

This attack is part of a broader trend putting global aviation supply chains under scrutiny.

In the past fortnight alone, Hawaiian Airlines and Canada’s WestJet have reported similar data breaches. Intelligence from the FBI suggests that a known cybercrime group called Scattered Spider — already linked to disruptions in UK supermarket supply chains — is shifting its focus toward airlines.

Jeffrey Troy, CEO of Aviation ISAC, which oversees cybersecurity in the global airline industry, says commercial motivations may not be the only factor.

“Our members are keenly alert to attacks from financially motivated attackers and collateral impacts emanating out of geopolitical tensions around the world,” he explains.

Scattered Spider’s operating model poses unique challenges for law enforcement.

Elliot Dellys, CEO of Australian firm Phronesis Security, explains that the group is believed to consist of a dispersed network of young hackers in the United States and United Kingdom.

“Rather than being composed of a centralised command and control structure like Russian ransomware groups,” he says, “it is believed to be composed of a disparate group of young hackers.”

That decentralisation makes taking down the group’s operations harder to coordinate, and harder still to execute. “If this incident is the result of a third-party compromise,” Elliot adds, “it adds to an increasing list of major Australian organisations that have done their utmost to secure data, just to have it exposed via a third party.”

Australia is already experiencing a sharp rise in high-profile cyberattacks this year. The Office of the Australian Information Commissioner has reported that 2024 saw more data breaches than any year since records began in 2018.

In 2025, that trend appears to be continuing.