The personal data of six million Qantas customers has been compromised in a major data breach involving one of the company’s contact centres, the airline confirmed just days after the FBI warned notorious cybercrime group Scattered Spider is targeting companies in the aviation sector.
The “concerning” breach was detected on Monday 30 June and has now been contained, the Australian airline said in its official confirmation of the incident, which it said occurred “when a cybercriminal targeted a call centre and gained access to a third party customer servicing platform.”
The compromised platform contains records on millions of Qantas customers, the airline said, noting that while it is continuing to investigate how much of the data has been stolen “we expect it will be significant.”
Stolen data includes customer names, email addresses, phone numbers, dates of birth and frequent flyer numbers – although Qantas was quick to point out that the system does not store credit card details, personal information, or passport details.
Qantas is contacting affected customers; has notified the Australian Cyber Security Centre, Office of the Australian Information Commissioner (OAIC) and the Australian Federal Police; and established a dedicated line (1800 971 541) to handle enquiries from concerned customers.
“We sincerely apologise to our customers and we recognise the uncertainty this will cause,” Qantas Group CEO Vanessa Hudson said, noting that “our customers trust us with their personal information and we take that responsibility seriously.”
Cybercrime group takes to the skies
Signs suggest the breach may have come not from a direct hack, but from the targeted exploitation of weaknesses in its caller verification processes – which experts note is a hallmark of a cybercrime group called ‘Scattered Spider’ or UNC3944, which began operating in 2022.
In 2023, the group – which is known for using social engineering to bypass multi-factor authentication (MFA) processes, and ‘living off the land’ techniques to avoid detection once inside victims’ networks – breached Las Vegas casino Caesars and extorted $23 million ($US15 million).
Reportedly US and UK-based group members, posing as an MGM employee, called an IT helpdesk claiming they needed to recover their password, while in other incidents they tricked employees into giving them network access or peppered workers with MFA prompts until they relented.
Scattered Spider has also been linked to recent breaches of UK retailers Harrods and Marks & Spencer, whose CEO Stuart Machin was directly harassed by the hackers as he fought to right the 141-year-old retailer from a breach that’s expected to cost it over $627 million (£300 million).
It is believed Qantas was breached via a third-party vendor by cybercrime group Scattered Spider. Photo: Shutterstock
More recently, Scattered Spider has reportedly turned its focus to aviation, with the FBI warning last week that the group “targets large corporations and their third-party IT providers, which means anyone in the airline ecosystem, including trusted vendors and contractors, could be at risk.”
The group’s other strategies including convincing IT help desks to register unauthorised mobiles or other MFA authorisation devices to legitimate employees’ accounts – allowing the criminals to log on and assume legitimate employees’ network privileges.
Authorities say that if Scattered Spider is indeed responsible, Qantas may just be one of many airlines to be hit as the group tends to target one industry at a time.
As a “high value target with a complex, and historically challenging, environment to secure…. It would be of little surprise if the Australian aviation sector had come within [UNC3944’s] crosshairs,” said Elliot Dellys, CEO of Australian cyber security company Phronesis Security.
“It is also a timely reminder for organisations that effective cybersecurity is about far more than just having the latest tech,” he added, noting “breaches are frequently the result of inadequate third-party risk management, human error, or well-intended people doing the wrong thing.”
It’s a question of trust
Qantas shares were down in early trading after the breach was announced, highlighting the reputational damage it has already caused an airline whose losing streak continued when it was recently named Australia’s fifth least-trusted brand.
Qantas was last year fined $100 million for deceptive conduct, and caused a mass privacy breach when a bug in its mobile app let travellers view and change other Qantas customers’ details– and this latest breach is certain to continue its losing streak as customers push back and fines accrue.
Whatever its victims’ commitment to data security, Scattered Spider’s low-and-slow approach to infiltrating networks is proving very effective – which, Exabeam APJ vice president of sales Gareth Cox noted, shows why AI has become so important to cybersecurity defence.
“Traditional security controls don’t detect risk when someone or something logs in, nor do they understand users and behaviour,” he said, noting that “AI and machine learning would flag the abnormal behaviour once the attacker logged into the environment with the stolen credentials.”
“They would track the activity, ask hundreds of questions and flag a security case based on the behaviour so that the security operations team can respond quickly.”
Security firm Mandiant recently published guidance to help companies harden their systems against UNC3944, including training help desk personnel in ‘positive identity’ techniques like using on-camera or in-person verification to identify employees with privileged accounts.
“You can do everything right inside your business but if a supplier is compromised, you’re still exposed,” said Ben Le Huray, solutions architect team leader with Ingram Micro, who advised companies that “third-party risk management needs to be part of your core governance process.”
“Understand what access your vendors have, ask for their security credentials, and build supply chain monitoring into your cyber strategy.
“Regular reviews, incident response planning, and threat intelligence can help you spot and respond to risks before they become breaches.”
