Impacting 6 million customer records
Qantas Airways has confirmed that a cyberattack on one of its third-party contact centres has compromised customer data, affecting up to six million service records.
The Australian airline has not specified which vendor operates the compromised platform or whether that provider also services other airlines in the Asia-Pacific or Middle East regions.
The carrier stated that, although the affected platform has been contained, investigations are ongoing into the extent of the breach.
The airline identified the breach on June 30, 2025, after detecting unusual activity on a third-party customer service platform used by a Qantas call centre. A cyber criminal is believed to have gained unauthorised access to the system, which does not belong to Qantas itself but is operated by an external service provider.
All Qantas-operated systems remain secure and unaffected, the airline said in a media statement on July 2, 2025.
Qantas stated that the stolen data likely includes customer names, email addresses, telephone numbers, dates of birth, and frequent flyer membership numbers. However, the compromised platform does not store credit card details, personal financial data, or passport information.
The airline stated that no frequent flyer accounts were accessed and that customers’ passwords, PINs, and login credentials remain secure.
Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. The matter has also been referred to the Australian Federal Police, given its criminal nature. The airline stated that it is working closely with federal authorities in Australia, including the National Cybersecurity Coordinator, and engaging external cyber experts as part of its response.
Additional security protocols
In response to the breach, Qantas has implemented additional security protocols designed to limit further access and enhance real-time monitoring and threat detection. The airline has launched a dedicated customer support line and website page to provide affected customers with the latest updates and access to identity protection services.
The airline’s chief executive, Vanessa Hudson, said Qantas is contacting affected customers directly and acknowledged the breach would cause uncertainty. She said the company takes its obligations seriously and is committed to supporting customers while the investigation continues.
Qantas has advised its customers to remain vigilant and monitor their accounts for unusual activity. The airline has established a support line for affected individuals, providing guidance and resources to help protect their identities. While there is currently no indication of misuse of the exposed data, the investigation remains ongoing, and updates will be provided through official channels.
New concerns
The incident has raised concerns about third-party cybersecurity risks in the aviation sector, particularly in a region like the Middle East, where Gulf carriers and travel operators maintain global partnerships with outsourced platforms.
While Qantas is based in Australia, the breach highlights growing global vulnerabilities as airlines expand their digital services and customer support through external vendors, many of which also support airlines operating in or through the UAE and broader Middle East region.
Frequent flyer numbers are often linked to broader customer loyalty ecosystems, which in some markets include partners in hospitality, banking and retail. This has raised questions among cybersecurity analysts about the potential misuse of exposed data, even if passwords and account access were not compromised.
In recent years, Gulf-based airlines have expanded their loyalty programmes through cross-border partnerships, which may now also need to review the security of their associated data platforms.
Securing outsourced systems
Cybersecurity experts have noted that the attack underscores the importance of securing outsourced systems, which often handle sensitive customer interactions.
While Qantas has not disclosed how the breach occurred, security analysts say these types of incidents often result from phishing attacks, software vulnerabilities or poor access controls on third-party platforms. The aviation industry has been increasingly targeted by cybercriminals seeking personal data that can be resold or used for identity theft.
This is not the first time a major airline has faced a cyber breach. Other global carriers, including British Airways and Cathay Pacific, have previously reported significant data compromises, prompting industry-wide calls for improved security standards, particularly in customer-facing operations.
In the UAE and wider Gulf region, where airlines such as Emirates, Etihad, Qatar Airways and others manage extensive frequent flyer and customer service operations, the Qantas breach serves as a warning to audit and reinforce third-party data infrastructure.
Regional aviation hubs handling large volumes of international passengers are considered high-value targets for cyber threats, especially as they continue to digitise services across borders.
The Qantas breach follows a broader trend of rising cyber incidents in the aviation sector. According to industry analysts, airlines remain particularly vulnerable due to the vast amount of personal data they collect, much of which is shared across international partners and systems.
Regulatory authorities across multiple jurisdictions are expected to closely monitor the outcomes of the Qantas investigation, as it may have implications for global data handling protocols in the travel and tourism sector.
While Qantas continues to reassure its customers that flight safety and operations have not been impacted, the incident raises important questions for the aviation industry about data governance, vendor oversight, and customer trust in a digital age.
Hero image: File image of a Qantas A380 taking off from an undisclosed airport. The airline maintains that no frequent flyer accounts were accessed and that passwords, PINs, and login credentials remain secure. Credit: Soly Moses
