Qantas Airways has confirmed a large-scale data breach affecting approximately 5.7 million customers, following unauthorized access to a third-party vendor system supporting its customer contact operations.
According to the airline, the breach occurred through an external platform used by an offshore call center partner. The compromised data includes names, email addresses, and Frequent Flyer numbers. For a subset of around 1.7 million individuals, additional personal details were exposed, including phone numbers, home addresses, dates of birth, and individual meal preferences.
No passwords, credit card numbers, passport data, or government ID details were involved in the breach, and Qantas has stated there is currently no evidence that the data has been leaked publicly.
“We recognize how serious this is for our customers and are contacting each affected individual directly,” a Qantas spokesperson said in a statement. “We’ve taken immediate steps to secure the affected system and are working closely with government authorities, including the Australian Cyber Security Centre and the AFP.”
While the airline’s internal systems were not compromised, the incident raises renewed concerns around third-party cybersecurity risks, particularly in sectors with large customer databases and outsourced support infrastructures.
Industry experts say the nature of the breach, involving call center data and customer loyalty information, reflects a growing trend in cyberattacks that target indirect points of access rather than corporate core systems. These attacks are often executed by sophisticated criminal groups employing social engineering, phishing, or insider access.
Qantas has not disclosed the specific vendor involved, nor whether a ransom demand was made. However, sources familiar with the investigation have indicated that a well-known cybercriminal group may be responsible for the incident.
The airline is continuing its internal investigation while coordinating with cybersecurity and law enforcement agencies. Customers have been advised to remain vigilant, particularly for phishing attempts or fraudulent communications using Frequent Flyer information.
This is one of the most significant Australian data breaches since the 2022 Optus and Medibank incidents, placing renewed focus on vendor due diligence and privacy governance.
Qantas has pledged to provide a dedicated portal for customers to verify what personal information was impacted and is offering support for those seeking guidance on how to protect their data.
