Qantas, Australia’s largest airline, has disclosed a significant cyberattack that compromised customer data via a third-party service platform. The breach was detected on Monday after threat actors gained access through a call centre platform used by the airline, potentially compromising the personal data of up to six million customers.
Qantas confirmed the incident has been contained and emphasized that all internal systems remain secure. However, the company warned that a “significant” amount of customer data may have been stolen.
“There are 6 million customer service records in this platform,” Qantas stated. “Our initial review indicates the stolen data may include names, email addresses, phone numbers, birth dates, and frequent flyer numbers.”
The airline assured customers that no credit card or financial data was exposed and that login credentials, including passwords and PINs, were not compromised. A dedicated support line and a website update page have been set up for affected customers.
Qantas Group CEO Vanessa Hudson apologized to customers, stating:
“Our customers trust us with their personal information, and we take that responsibility seriously. We are contacting affected individuals today and are focused on providing them with the necessary support.”
The incident comes at a challenging time for Qantas, which is working to restore public trust after a series of controversies during the COVID-19 pandemic. These include the sale of tickets for flights that were later cancelled and its opposition to Qatar Airways’ bid to expand services to Europe.
Following the breach, Qantas notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. The airline has also brought in independent cybersecurity specialists to investigate the breach..
Potential Link to “Scattered Spider” Threat Group
Though the culprit’s identity is still unknown, the tactics used are consistent with those of the Scattered Spider ransomware group—a group that has recently targeted airlines and retailers in the US and UK.
The FBI recently warned US airlines about Scattered Spider, noting the group’s use of social engineering to impersonate staff and gain access to internal systems, often bypassing multi-factor authentication. The hackers then steal sensitive data for extortion and may deploy ransomware to lock systems.
Although it remains unconfirmed whether this group is behind the Qantas breach, the tactics used share similarities with previous attacks attributed to them. Scattered Spider—a is notorious for using social engineering techniques like phishing, SIM swapping, MFA bombing, and help desk impersonation to obtain employee credentials.
Their recent pivot toward aviation has included attacks on Hawaiian Airlines and WestJet, where they reportedly exploited a self-service password reset tool to access internal systems.
Security experts have warned that these threat actors often adopt a sector-specific approach, and it remains unclear which industry they will target next.
Recommended Defenses
Organizations are urged to bolster defenses by securing critical systems such as identity management platforms, help desks, and password reset tools. Complete visibility across infrastructure and identity services is key to defending against such sophisticated attacks.
Both Google Threat Intelligence Group (GTIG) and Palo Alto Networks have published detailed guidance on mitigating threats posed by groups like Scattered Spider, which IT administrators are encouraged to review.
Read Google Threat Intelligence Group (GTIG) Mitigation guidance HERE
Read Palo Alto Networks Mitigation guidance HERE
Rise of Cyber-Attacks in Australia
The incident adds to a growing trend of cyber-attacks in Australia. In April, hackers targeted superannuation funds, stealing over $500,000. In May, the Office of the Australian Information Commissioner reported a 25% year-on-year increase in data breaches.
Between July and December 2024, there were 595 reported breaches, bringing the year’s total to 1,113—up from 893 in 2023. The health sector reported the highest number of incidents, followed by government, finance, legal and accounting, and retail.
The report revealed that 69% of breaches were due to malicious or criminal activity, with phishing and ransomware among the most common methods. While most breaches affected fewer than 5,000 individuals, two incidents impacted between 500,000 and 1 million people.
A Closer Look At Scattered Spider
Scattered Spider, also known as UNC3944, is a cybercriminal group primarily composed of teenagers and young adults, believed to reside in the United States and the United Kingdom.
The group rose to prominence following high-profile cyberattacks and extortion attempts targeting major casino operators Caesars Entertainment and MGM Resorts International. Beyond these, they have also reportedly targeted companies such as Visa, PNC Financial, Transamerica, New York Life, Synchrony Financial, Truist Bank, Twilio, and, more recently, Snowflake customers.
Alternate Names and Affiliations
While most commonly referred to as Scattered Spider in media and press releases, the group has also been labeled Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra. They are considered part of a broader cybercriminal ecosystem known as “the Community” or “the Com”, which includes individuals responsible for breaches of major U.S. tech firms.
Origins and Early Tactics
Formed around May 2022, Scattered Spider initially focused on attacks against telecommunications companies. Their methods included SIM swapping, MFA fatigue attacks, and phishing via SMS and Telegram. They exploited vulnerabilities like CVE-2015-2291, a Windows anti-DoS flaw, to disable security software and evade detection. The group is known for its technical sophistication, particularly in cloud platforms like Microsoft Azure, Google Workspace, and AWS, often leveraging legitimate remote-access tools.
Transition to Critical Infrastructure & Casinos
After targeting infrastructure sectors, the group shifted focus to casinos in 2023.
MGM Resorts Hack
On September 11, 2023, Scattered Spider infiltrated MGM Resorts by impersonating an employee during a call to the company’s help desk, using LinkedIn for social engineering. The next day, MGM reported the breach in a Form 8-K filing with the SEC. The attack disabled hotel systems, including ATMs, room keys, food and beverage credits, and parking charges. Scattered Spider partnered with ALPHV, a ransomware-as-a-service (RaaS) provider.
In July 2024, a 17-year-old from the UK was arrested in connection to the hack. He was released on bail pending trial.
Caesars Entertainment Hack
Scattered Spider reportedly extorted Caesars Entertainment by demanding a $30 million ransom, of which the company paid $15 million. The breach compromised personal data including driver’s license and potentially Social Security numbers. Caesars admitted it could not guarantee the deletion of the stolen data.
There is some dispute over whether Scattered Spider was solely responsible for the Caesars attack, with conflicting reports suggesting involvement from another group.
Aftermath and Lawsuits
Both companies experienced stock drops following the attacks. MGM’s CEO admitted the company was “completely in the dark” during the incident. The FTC and FBI launched investigations, and Moody’s warned of potential credit rating downgrades due to MGM’s operational disruption.
Class-action lawsuits were filed against both MGM and Caesars, alleging negligence in securing customer data. In January 2025, MGM settled for $45 million.
Snowflake Data Breaches
Scattered Spider members were later tied to breaches involving Snowflake customers, where they stole large volumes of data and demanded ransoms. Victims included AT&T, Ticketmaster, Advance Auto Parts, LendingTree, and Neiman Marcus, among nearly 100 organizations.
