Australian airline Qantas announced on Sunday that customers' personal information was stolen and leaked online in a July cyber attack that targeted businesses around the world.
Qantas said in a statement that cybercriminals targeted call centers that used third-party customer service platforms and stole 5.7 million customer records. Qantas said it was one of a number of companies around the world targeted in the attack.
Qantas did not say how many records were released. It also did not name the third-party platform or say which other companies were targeted. The airline did not respond to requests for comment.
Qantas said in a statement that most of the records stolen were limited to names, email addresses and frequent flyer details. Smaller portions covered the customer's business or home address, date of birth, phone number, gender, or dietary preferences.
Qantas said no further breaches had occurred and it was cooperating with Australian security authorities. The company also said it had obtained a court injunction preventing it from “accessing, viewing, disclosing, using, transmitting, or disclosing” the stolen data.
Australian cybersecurity expert Troy Hunt said the breach appeared to be the first resulting from the July attack. Authorities investigating the attack have not said which other companies were affected or how widespread the attack was.
Mr Hunt said the court's injunction was unlikely to have much of an impact, noting that similar orders had been issued in Australia and the UK but had been ignored. He said such orders essentially only ask criminals not to release stolen data.
“It's completely useless,” Hunt said in an interview.
Cyber attackers have attacked telecommunications, healthcare and aviation companies, exposing the personal data of millions of Australians.
Telecommunications company Optus disclosed a breach in 2022 that exposed the information of around 9.8 million customers, including names, dates of birth and identification numbers, the company announced at the time. At the time, the breach was the largest in Australian history.
In the same year, Medibank Private reported that hackers had accessed the data of approximately 9.7 million policyholders, including medical insurance claim details. The Australian Information Commissioner's Office has commenced civil penalty proceedings against Medibank.
According to the Australian Department of Home Affairs, the federal government announced in 2024 that Medi-Secure, an e-prescription service, suffered a cyberattack that affected approximately 13 million people.
Australian businesses and government agencies reported 1,113 data breaches in 2024, the highest number since reporting requirements began in 2018, according to the Australian Information Commissioner's Office. This is an approximately 25% increase from the 893 breaches reported the previous year.
