Incident response: https://www.qantas.com/au/en/support/information-for-customers-on-cyber-incident.html

What happened?

In late June 2025, Qantas detected unauthorized access to a third-party customer service platform used by an offshore call centre. Attackers exfiltrated data belonging to approximately 5.7 million customers, including names, emails, addresses, phone numbers, dates of birth, and even meal preferences. Next time someone deliver your favorite cake for your birthday, beware of the phishing attempt!

Interestingly, the compromised system wasn’t Qantas’s core infrastructure but a vendor support platform. Such data breaches involving third-parties are becoming increasingly frequent. It is deeply unsettling for security teams. Securing internal systems is hard enough, but external ones multiply the risk. However, we must highlight that Qantas quickly identified the anomaly (or at least, they say so), meaning they already had some monitoring capabilities in place. That was clearly not enough.

But for customers? Internal or external systems do not matter. They are the victims. They are the ones who will face potential scams.