Qantas Hit By Cyber Incident Amid Scattered Spider Targeting Aviation Sector

Qantas has confirmed a cyberattack that exposed the personal information of millions of customers. The breach originated not within the airline's own IT infrastructure but through a third-party platform used to support customer service operations.

According to Qantas, the incident was detected and contained on Monday. The attackers exploited a system managed by an external vendor, but Qantas asserted that its core systems and operational environment remained secure.

The airline reported that the compromised data included names, dates of birth, email addresses, and frequent flyer tier statuses. However, Qantas clarified that no passwords, credit card numbers, passport details, or travel histories were exposed. After noticing unusual system activity, Qantas launched an internal investigation and brought in third-party cybersecurity experts to contain the breach.

In an email to customers, the airline explained,

On Monday, we detected unusual activity on a third-party platform used by one of our airline contact centres. We immediately contained the incident and can confirm all Qantas systems remain secure.

Our initial investigations show the compromised data includes some customers' names, email addresses, dates of birth and Frequent Flyer numbers. Importantly, no credit card details, personal financial information and passport details are held in the system that was accessed. No Frequent Flyer accounts, passwords, PIN numbers or log in details have been compromised.

Qantas CEO Vanessa Hudson addressed the breach publicly, stating,

I wanted to update you on a cyber incident that occurred in one of our contact centres impacting customer data. The system is now contained. For those customers whose information has been potentially compromised you will receive further communication from us shortly.

To all our customers, I would like to sincerely apologise that this has occurred.
There is no impact to Qantas' operations or the safety of our airline. However, we understand that when personal information is at risk, it can affect peace of mind, so we wanted to update all of our customers on what occurred and what we are doing.

Qantas also notified the Australian Cyber Security Centre, the Office of the Australian Information Commissioner, and the Australian Federal Police. The airline pledged continued communication with customers and emphasized that existing controls protected its core systems and flight safety operations.

This breach emerged as part of a broader pattern of cyberattacks against the aviation sector. On the same day, the ALPHV/BlackCat ransomware group claimed responsibility for an attack on another airline, alleging it had stolen customer data, emails, and internal documents. While there is no confirmed connection between the incidents, cybersecurity researchers observed sophisticated threat actors' intense focus on the aviation industry.

Security analysts attributed many of these attacks to the threat group known as Scattered Spider, also referred to as UNC3944, Octo Tempest, or 0ktapus. The group has earned notoriety for its skilled use of social engineering, SIM swapping, and exploitation of identity systems to gain unauthorized access.

Scattered Spider often targets help desks and multi-factor authentication workflows to infiltrate organizations. Frequently, the group collaborates with ransomware operators like BlackCat, Qilin, and RansomHub.

The U.S. government and private cybersecurity firms have issued multiple advisories warning about Scattered Spider's advanced tactics. These include phishing, credential theft, and real-time engagement with support personnel to bypass identity verification measures. The group's ability to emulate insider knowledge and manipulate authentication systems has made it one of the most dangerous adversaries currently active in the cyber threat landscape.

Scattered Spider's Campaign Expands to the Air

On June 12, Scattered Spider allegedly compromised the systems of WestJet, Canada's second-largest airline. The attack disrupted internal operations and the mobile application. Sources close to the investigation said WestJet brought in cybersecurity experts from Palo Alto Networks and Microsoft to contain the incident. Although the airline has not officially attributed the breach, investigators believe Scattered Spider orchestrated the intrusion.

The attackers reportedly gained initial access by abusing a self-service password reset on an employee account, which allowed them to register a new multi-factor authentication (MFA) device. They then leveraged Citrix to access WestJet's network remotely. This approach mirrored Scattered Spider's known strategy of targeting identity infrastructure to hijack legitimate user access.

The group's consistent use of social engineering, help desk impersonation, and MFA manipulation has set it apart from other cybercriminals. Scattered Spider continues to evolve its approach by focusing on identity-centric vulnerabilities while maintaining a clear preference for targeting high-value sectors.

Later that same day, Hawaiian Airlines disclosed it had also experienced a cyberattack. While the airline provided limited technical details, a source close to the matter suggested Scattered Spider was responsible. The close timing and similar tactics indicate a broader, possibly coordinated campaign against North American aviation entities.

Meanwhile, around the same time, American Airlines reported an unrelated IT outage. The company has not yet disclosed the cause of the disruption, and it remains unclear whether it is connected to the other attacks.

These incidents collectively signal a significant escalation in cyberattacks targeting the aviation sector. Scattered Spider's tactical focus on identity exploitation and its apparent shift toward transportation infrastructure have introduced a new level of risk for global airlines. Security teams must enhance identity management protocols, monitor user behavior more rigorously, and defend against advanced social engineering, which now defines this threat actor's playbook.

This breach also underscores the importance of identity-focused cybersecurity. Customer service platforms and support desks have become prime targets for adversaries seeking initial access. Organizations must harden authentication workflows, educate personnel on impersonation tactics, and closely monitor for behavioral anomalies to counter this.

As Qantas continues its remediation efforts and supports affected customers, the aviation industry faces mounting pressure to strengthen its cybersecurity defenses. The sector must prepare for sustained, sophisticated attacks, with threat actors like Scattered Spider showing increasing interest in transportation and logistics targets.

Qantas's handling of the incident, swift containment, public transparency, and proactive communication deserve recognition as a benchmark for incident response best practices.