A Growing Crisis in Australian Aviation
The recent Qantas cyber security breach has shaken millions of Australians and revealed significant weaknesses in the airline’s IT infrastructure. Up to six million customers have had their personal data compromised following an attack on a third-party call centre servicing Qantas. The breach extracted sensitive customer details, including names, email addresses, phone numbers, dates of birth, and Qantas frequent flyer numbers.
Despite reassurances from Qantas, the incident has left customers frustrated and concerned, particularly in light of the airline’s track record of IT failures over recent years.
“No Requirement to Reset”: What Qantas CEO Says About Passwords
In response to the breach, CEO Vanessa Hudson emailed impacted frequent flyers to reassure them that login credentials such as passwords and PINs remain safe.
“I want to reassure our frequent flyers that there’s no requirement to reset your password or PIN,” Hudson wrote. “If you’re having trouble accessing your account, reset your password or call the Frequent Flyer Service Centre.”
Qantas CEO Vanessa Hudson [Image Credit: AAP / Dan Himbrechts]
According to Qantas, the attack did not involve the theft of passwords or financial data, and login security remains intact due to two-factor authentication (2FA). This built-in security requires users to verify their identity through a one-time password sent via email or SMS before gaining access.
What Was Taken and How
The cybercriminal targeted a third-party call centre, most likely in the Philippines, using tactics that mirror those employed by the Scattered Spider ransomware group. These attackers reportedly impersonated staff or contractors to trick IT support into bypassing multi-factor authentication.
The stolen data includes:
- Full names
- Email addresses
- Phone numbers
- Dates of birth
- Qantas frequent flyer numbers
Thankfully, credit card numbers, passport details, and other financial data were not stored on the compromised platform.
Potential Risks to Qantas Frequent Flyer Accounts
While Qantas claims no accounts were compromised, security experts advise caution. Hackers now have access to two of the three elements needed to log into a Qantas frequent flyer account: a member’s surname and account number.
If a customer reuses their PIN across platforms, the risk increases. However, the presence of 2FA helps mitigate unauthorised access attempts. The airline also alerts users when their account is accessed from a new device.
Cybersecurity experts advise using an authenticator app instead of SMS-based 2FA for added security and changing any recycled PINs immediately.
Government Urges Caution
Australia’s National Cyber Security Coordinator, Lt Gen Michelle McGuinness, urged Qantas flights customers to remain vigilant.
“People should not respond to unsolicited messages or phone calls. If someone contacts you claiming to be from an official source, hang up and find the contact details yourself,” she said.
McGuinness encouraged Australians to use strong and unique passwords, update their software regularly, and use password managers to securely store credentials.
The government has established a dedicated website to help individuals enhance their personal cyber defences.
A Pattern of Digital Failures
This Qantas cyber security breach is not an isolated case. Over the past three years, Qantas flights have dealt with multiple technology-related crises:
- May 2024: A mobile app glitch allowed customers to see the personal information of other travellers.
- September 2023: A failed rollout of a cloud-based cargo system left live animals and perishable goods stranded.
- Late 2022: An IT outage grounded domestic flights across Australia, disrupting travel nationwide.
- 2020: During the COVID pandemic, Qantas failed to issue refunds promptly due to outdated systems.
Despite these ongoing issues, Qantas continued to rely on offshore call centres. This latest breach raises further questions about outsourcing and the inadequate risk management of third-party providers.
Hudson’s Handling Under Scrutiny
CEO Vanessa Hudson, who took over from Alan Joyce, faces mounting pressure. Although she has committed to investing millions over three years to modernise Qantas.com and related systems, the airline’s handling of this breach has drawn criticism.
Qantas took 48 hours to notify customers, during which time it had already alerted regulators. This delay sparked public outrage, particularly in the wake of similar data breaches at Optus and Medibank in 2022.
When contacted by media, the breach support line redirected calls to the UK, where agents provided little assistance and confirmed there would be no compensation.
Growing Pressure for Reform
The Qantas flights airline has promised a complete overhaul of its outdated customer-facing platforms, but progress appears to be slow. Many customer complaints continue to flood social media, highlighting poor service and inconsistent communication.
Critics argue that Qantas underinvested in IT and security while prioritising profit and executive bonuses. Now, with annual results on the horizon, analysts will closely watch whether this breach affects executive pay or triggers internal reform.
What Should You Do If You’re Affected?
If Qantas notified you that your data was exposed:
- Be alert for suspicious emails or messages
- Do not click on unknown links or share personal details over the phone
- Use strong, unique passwords for all accounts
- Enable 2FA or switch to an authenticator app
- Monitor your Qantas frequent flyer account for unusual activity
On the other hand, a terrifying case involving Japan Airlines came to light today. Read the full news and other vital headlines today:
Also Read: Eileen Bond, Beloved Socialite and Former Wife of Alan Bond, Dies at 87
Also Read: Life and Death Divide: Wealth Still Shapes Lifespan in Australia
Final Thoughts
The Qantas cyber security breach highlights deeper issues with the airline’s reliance on outdated IT systems and offshore operations. While passwords remain secure for now, the breach underscores the importance of stronger digital governance and transparency.
For Qantas, this is more than just another public relations crisis. It is a wake-up call to take cybersecurity seriously and rebuild the trust of its millions of passengers, who expect not just safety in the skies but also online.
