Australian airline Qantas has confirmed a major data breach that exposed the personal information of up to six million customers.
The cyberattack targeted a third-party customer service platform connected to a call centre in Manila, Philippines.
The attack, detected on June 30, involved vishing — a form of voice phishing where threat actors impersonate trusted entities over phone calls to steal sensitive information.
The compromised platform held customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Qantas stated that no financial information, credit card data or passport details were stored on the affected system.
Frequent flyer account credentials, passwords and PINs also remain secure.
Operations and flight safety were not impacted, the airline clarified.
Australian intelligence agencies, including the Australian Cyber Security Centre, and law enforcement bodies such as the Australian Federal Police, have been notified.
The Office of the Australian Information Commissioner has also been informed.
The airline has launched a full investigation and set up a dedicated support line and website to keep customers informed.
Impacted customers are being directly contacted.
Qantas Group CEO Vanessa Hudson issued a public apology.
“Our customers trust us with their personal information, and we take that responsibility seriously. We are contacting them directly and offering necessary support,” Hudson said.
